- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Can you help me with the time series data and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a chart that shows a time series, for example, let's say it's the # of donuts sold by noon every day for a month in a specific store. When increasing the number of days rendered, eventually the X Axis labels disappear for readability/rendering issues. Zooming can make them come back.
Is there a way to make the chart render, say every 7th or 30th date label so a user could at least tell it's December-ish at that part of the graph? This becomes particularly important in a PDF export or scheduled report where the ability to manipulate it is gone. I need some way to anchor the time scale for a user, even if it's saying render exactly 10 labels or something like that would be very helpful.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart is the key. That chart axis behaves differently than a normal chart with the date on the axis for sure. In order to make this work have to do
| eval Date=strptime(Date,"%m/%d/%Y")
| eval _time=Date
In order to get the timechart to work properly if the events aren't indexed in real time. In this case, events are bulk loaded and all have the same timstamp. Should fix that with an indexing transform but the chart is working like I want now, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart is the key. That chart axis behaves differently than a normal chart with the date on the axis for sure. In order to make this work have to do
| eval Date=strptime(Date,"%m/%d/%Y")
| eval _time=Date
In order to get the timechart to work properly if the events aren't indexed in real time. In this case, events are bulk loaded and all have the same timstamp. Should fix that with an indexing transform but the chart is working like I want now, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice!
With a plain date string on the x-axis, splunk will have no idea how to sample that once the number of x-axis values gets to big to display. With having an actual timestamp as x-axis values, it understands it can sample it by showing only only every other day / one day per week / only the month name etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somehow I've been using Splunk for over 5 years and never noticed that. Don't do a lot of PDF exports... thanks for setting me straight!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you actually using a timechart? Can you share the actual search you run and a screenshot showing the issue?
Because when I run a timechart, regardless of the number of days I include, it will always show some labels on the x-axis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assuming you are using timechart, can you not just use the span statement?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anyone else experience a desire to do this?
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
