Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

X-label -> only appear hour

assuncao
New Member
‎02-17-2018 08:06 AM

I did this search on splunk:

index=esi_svc svc_top=1 earliest=10/19/2017:0:0:0 latest=10/19/2017:23:59:0
|eval erro=if(NOT isnull(svc_exception),1,0)
|bucket _time span=10M
|eval time=strftime(_time,"%H:%M")
|eval day = strftime(_time,"%d")
|stats count as b sum(erro) as tot by time day
| eval "19/10" = if(day=19,round((tot/b)*100,4),NULL)
|table "time" "19/10"

I want to have all the bars (referents to 10min) but in x-labels only appear when the hour changes.

Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-17-2018 09:40 AM

To create a chart over time, consider using timechart: http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/timechart

Your search would look something like this:

index=esi_svc svc_top=1 earliest=10/19/2017:0:0:0 latest=10/19/2017:23:59:0
| timechart span=10m count count(svc_exception) as errors
| eval error_rate = round((errors / count)*100,4)
| fields - count errors

The chart rendered from this will automatically pick only a few time labels to display.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...