Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to present the date and value not in epoch format and is there a way to add a line to the bubble chart (over the time), in order to show trend?

matansocher
Contributor
‎05-02-2018 06:48 AM

Hi,

I created a bubble chart with numeric values on the y-axis and time(epoch) on the x-axis, and the bubble size is another numeric field.
I want to present the date value and not the epoch, so the users will understand the date. Is that possible?

Also, is there a way to add a line to the bubble chart (over the time), in order to show a trend?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎05-05-2018 05:42 AM

You cannot use a time as a Bubble or Scatter chart's X axis. This is not supported.

You would think it's just a big integer that you could fieldformat into whatever look you wanted, but that's not how it works. For those chart types they had to do some "special" handling of some things inside the code, and that special handling breaks times being used as the X axis.

(By the way, if you leave it as epoch it sort of, kind of works. It will be backwards and the scale will be ... umm ... "different", but it might be OK enough for your needs.)

After I reported a bug a while back for this inconsistent and baffling behavior, I got an answer:

After working with the Development team they have confirmed that currently plotting time axis on scatter chart is not supported.

(Along with various other information that informed me about the why).

But there's good news! If you have an active support contract, please create a P4 ticket (Enhancement Request) and refer to their internal Dev ticket "bug: SPL-152883". That will let them know there's more than one person who wants this to work right.

Now, MAYBE - ENTIRELY UNTESTED! - a workaround might be if you really want to use a bubble chart for a time-based X axis would be to ... like... maybe don't use dates or times, but build your own relative time in hours or minutes from start:

  1. subtract the smallest time (in epoch) in the data you are showing from all the times
  2. divide by 60 (because epoch is in seconds this makes minutes) or 3600 (to make hours)
  3. label the axis "minutes from start" or "hours from start".

You could do this with something like (again untested) ... | eventstats min(time) AS earlyTime | eval myTime = _time - earlyTime then using myTime as your X axis field.

So, sorry about that bad news, but I hope we can find you a workaround!

Happy Splunking!
-Rich

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎05-05-2018 05:42 AM

You cannot use a time as a Bubble or Scatter chart's X axis. This is not supported.

You would think it's just a big integer that you could fieldformat into whatever look you wanted, but that's not how it works. For those chart types they had to do some "special" handling of some things inside the code, and that special handling breaks times being used as the X axis.

(By the way, if you leave it as epoch it sort of, kind of works. It will be backwards and the scale will be ... umm ... "different", but it might be OK enough for your needs.)

After I reported a bug a while back for this inconsistent and baffling behavior, I got an answer:

After working with the Development team they have confirmed that currently plotting time axis on scatter chart is not supported.

(Along with various other information that informed me about the why).

But there's good news! If you have an active support contract, please create a P4 ticket (Enhancement Request) and refer to their internal Dev ticket "bug: SPL-152883". That will let them know there's more than one person who wants this to work right.

Now, MAYBE - ENTIRELY UNTESTED! - a workaround might be if you really want to use a bubble chart for a time-based X axis would be to ... like... maybe don't use dates or times, but build your own relative time in hours or minutes from start:

  1. subtract the smallest time (in epoch) in the data you are showing from all the times
  2. divide by 60 (because epoch is in seconds this makes minutes) or 3600 (to make hours)
  3. label the axis "minutes from start" or "hours from start".

You could do this with something like (again untested) ... | eventstats min(time) AS earlyTime | eval myTime = _time - earlyTime then using myTime as your X axis field.

So, sorry about that bad news, but I hope we can find you a workaround!

Happy Splunking!
-Rich

Reply
Solved! Jump to solution

matansocher
Contributor
‎05-07-2018 09:17 PM

Hi Rich thank you for your answer, it helped!
I understand that setting the x axis with time values is not possible, so I definitely take your solution.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-02-2018 09:57 AM

Whats you search that you're currently using?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...