Solved: Getting rid of unused time in timechart

plucas_splunk · ‎08-31-2016

Given a search:

index="muni" | nbclosest | timechart span=30m dc(vehicle_id) as NumVehicles

(where nbclosest is a custom search command that filters results and isn't relevant to this question) it correctly charts the data, but the problem the data is only from a subset of hours in the day, e.g., 10am to 7pm. When plotting it, it looks like the attached image:

I'd like to change the chart so that the times outside 10am-7pm aren't displayed at all. It would be as if the chart were squished horizontally by removing midnight-10am and 7pm-midnight.

How can I do this?

sundareshr · ‎08-31-2016

See if add cont=f to the timechart command gives you the desired output.

View solution in original post

somesoni2 · ‎08-31-2016

Give this a try. You may loose the x-axis markers

index="muni" | nbclosest | bucket span=30m _time | stats dc(vehicle_id) as NumVehicles by _time

plucas_splunk · ‎08-31-2016

This produces the same result as adding cont=f but, oddly, says "0 events" on the left.

sundareshr · ‎08-31-2016

See if add cont=f to the timechart command gives you the desired output.

Getting rid of unused time in timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases