Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a legend on the y-axis to show all dates?

Bentash
Explorer
‎03-14-2018 09:06 AM

Help with time chart on legend(y-axis) instead of x-axis
with time field to show as July 2018 for all June dates

example of original date field values= 7/2/2018
7/7/2018
7/13/2018
8/2/2018

I should also be able to apply time picker options.
NB: Data is from a lookup table

alt text

Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎03-14-2018 11:07 AM

@Bentash, please try the following run anywhere search based on Splunk's _internal index.
PS: I have used time format as %Y/%m i.e. 2018/01, 2018/02 etc. to have the String date field sorted. If you can live with this format you will not need the rename commands after that. The rename command changes the same from 2018/01 to Jan 2018 etc.

Transpose command has been used to invert the axis. Also since timechart command is used default timespan related fields i.e. _span* values need to be removed from results.

index=_internal sourcetype=splunkd log_level!="INFO"
| timechart span=1mon count
| eval _time=strftime(_time,"%Y/%m")
| transpose header_field="_time"
| search column!="_*"
| rename "*/01" as "Jan *"
| rename "*/02" as "Feb *"
| rename "*/03" as "Mar *"
| rename "*/04" as "Apr *"
| rename "*/05" as "May *"
| rename "*/06" as "Jun *"
| rename "*/07" as "Jul *"
| rename "*/08" as "Aug *"
| rename "*/09" as "Sep *"
| rename "*/10" as "Oct *"
| rename "*/11" as "Nov *"
| rename "*/12" as "Dec *"

Please try out and confirm. Also see whether you need Bar chart or Column chart to represent your data. As your total data points will be less you may use bar chart instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Bentash
Explorer
‎03-14-2018 11:32 AM

@niketnilay, this did not work and actually returning false results.
I just need to flip the time field and basically this is creating columns for that field and counting the field value for that field.

0 Karma
Reply

niketn
Legend
‎03-14-2018 11:44 AM

What do you mean why false results? Did you run the exact run anywhere search or plug in your base query?

I tested with and without transpose after the timechart command and count remained the same.

alt text

If you are not testing the above run anywhere search can you please paste the query that you have tried. Also with the expected result?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Bentash
Explorer
‎03-14-2018 12:00 PM

unfortunately i cannot share my pictures. dont know why but for instance one field has over 18 counts (counted by another field) but when i transpose i get less than that.

0 Karma
Reply

Bentash
Explorer
‎03-14-2018 12:29 PM

@niketnilay, this data is from a lookup too so consider _time

0 Karma
Reply

niketn
Legend
‎03-14-2018 09:54 AM

@Bentash could you add a mock screenshot of what you need?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Bentash
Explorer
‎03-14-2018 10:24 AM

@niketnilay i added a sketch

0 Karma
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...