Dashboards & Visualizations

Ticks not showing on timechart

pcsegal
Explorer

Hello,

I have the following timechart, where I plot the count of events from "my_index" per hour over the last 7 days by country (for 3 countries).

    <panel>
      <chart>
        <search>
          <query>index="my_index" | timechart cont=FALSE span="1h" sum(count) by country | rename _time as Time | convert timeformat="%m-%d" ctime(Time)</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">253</option>
      </chart>
    </panel>

This produces the following output:

Splunk events per hour timechart

The problem here is: I see no ticks on the timechart's X-axis. What I would like to see is the day and month (formatted as %m-%d) for each day.
If I change from 1h to 1d, the X-axis ticks appear... but that's not what I want. I want to plot the events per hour over the last 7 days, and show the major ticks for each day.

Digging around in Splunk Answers and the Splunk manual, I have found settings such as "charting.axisLabelsX.majorUnit" and "charting.axisLabelsX.majorTickVisibility", but I can't seem to find any sufficient info on how to make this work.

Any suggestions?

Thank you in advance.

EDIT: I should point out that this doesn't seem to have any relation with the time format conversion, or with the fact that I renamed the _time field as Time. Even if I keep the _time field as it is, without the time format conversion and without renaming it to Time, the behavior still persists. That is, if I simply do:

index="my_index" | timechart cont=FALSE span="1h" sum(count) by country

The resulting graph still does not contain the day and month labels.
Also, repeating what I said in the comment below: If I leave out the span="1h", the resulting graph does show the labels dynamically. However, what interests me in this graph is the hourly behavior of the event count, which is why I want the span to be 1 hour. If I leave out the 1 hour span, Splunk will choose a longer time span, and the resulting graph will not properly convey the desired information.

Tags (1)
0 Karma

niketn
Legend

@pcsegal, If you take out span Splunk chooses default timespan based on time range selected. In your case it is will be span=1d. You are not able to see anything on the x-axis because there might be too many data points. Does your timechart occupy entire row? Or is there any other panel besides this timechart in the same row?

Have you tried zooming in to specific section in chart using Left Click and Drag on the chart to Zoom? Does it show Time Range? Refer to one of my recent answers on similar lines: https://answers.splunk.com/answers/584026/splunk-dashboard-timechart-x-axis-does-not-show-ho.html#an...

Following is the run anywhere dashboard I created and I can see the ticks.

alt text

<dashboard>
  <label>Timechart x-axis label</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| timechart cont=FALSE span="1h" count by log_level</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.text">Time</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">253</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pcsegal
Explorer

Hello, niketnilay. Thank you for your answer. This chart occupies the whole width of the screen. However, if I zoom in the chart, the ticks appear.
When I tried the run-anywhere dashboard example, as the data loaded, it showed all the ticks until the number of data points got too big. From that point on, the ticks only show if I do enough zoom. This confirms what you said: the problem is the large amount of data points.
Doesn't Splunk have a way to set the number of labels to skip in the X-axis? That would be very convenient.

0 Karma

niketn
Legend

@pcsegal, Have you tried with the run anywhere search? In order to get more data points you can change from span="1h" to span="1s".
If your time span is 7d@h and now, ideally timechart should show minimal days if there are too many data points or width of timechart is less.

Are you using _time without without time formatting?
Also try removing cont=FALSE to see expected output. How many data points(results does the query give)? Ideally Splunk shows a warning message on top right side of panel when there are too many data points.

Worst case you can refer to one of the following answer to add static marks on overlaying the chart: https://answers.splunk.com/answers/566888/adding-static-vertical-lines-to-a-scatter-plot.html

You can add 7 vertical marks and position them with CSS style so that you can use them as reference for each day when _time is not being displayed on x-axis.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@pcsegal, you are trying to bucket stats for every hour but trying to retain time in MM-DD format. This will not work out. You can leave _time as is and timechart will plot dynamically the x-axis labels based on the width of your display. You can resize your browser to reduce the width to check out the same. At about 50% size it will show only the Dates on the x-axis label. So, in other words it is better to leave _time as is.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

pcsegal
Explorer

Hello, niketnilay. Unfortunately, even if I use _time without any format conversion and without any name change, it still does not show the labels.
If I leave out the span="1h", it does show labels dynamically. However, what interests me in this graph is the hourly behavior of the event count; if I leave out the time span, Splunk will choose a longer time span, and the resulting graph will not show what I want to see.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I believe the issue is that rename _time to Time. Things can get a little goofy when you do that, but there are easy workarounds (or maybe they should be just called "different ways to do that.")

Edit your dashboard, change to Source mode (Or edit it on the cmd line in your system). Change your search/query to this...

       <query>index="my_index" | timechart cont=FALSE span="1h" sum(count) by country | convert timeformat="%m-%d" ctime(_time) </query>

Save that. Now edit the dashboard again, this time leaving it in UI mode, Format the Visualization (e.g. the "pen" icon") and in the X-Axis section change the label from "Default" to "Custom" and Type "Time" in there.

Similarly, if you want to do it from the source mode or by hand, Try putting these two things in there for that panel:

<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>

Let us know how that works! Happy Splunking!

-Rich

0 Karma

pcsegal
Explorer

Hey, Rich. Thank you for your quick response.

Unfortunately, that was not the issue. I kept the "_time", and I formatted the visualization to show the X-Axis title as "Time". However, the ticks still don't show.
I also tried to set these options:

<option name="charting.axisLabelsX.majorUnit"> P1M1D</option>
<option name="charting.axisLabelsX.majorTickVisibility">show</option>

But it has no effect. The value "P1M1D" for charting.axisLabelsX.majorUnit is a guess (based on what I could find on the Internet), because I can't seem to find any online resource on what should be the value of charting.axisLabelsX.majorUnit.
Also, I forgot to point out that I am using Splunk 6.6.2.

Thank you in advance.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

I believe your problem may be that you have too many Time entries for it to use as the labels. If you do any line chart where you have too many labels, it will choose to NOT show them. Yes, you still have_time, but you have told it to use Time, which doesn't function the same way that it would if you just left it use _time.

0 Karma

pcsegal
Explorer

Hello, cpetterborg. Unfortunately, even if I use _time without any format conversion and without any name change, it still does not show the labels.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...