Hello Everyone!
I have a timechart visualization and I would like to change the order of the number that are in the Y-axis from descendant to ascendant.
As you see in the picture, it goes from 3 - 6 - 9 - 12 and instead I would like something like this 24 - 21 - 18 - 15.
This My query, I tried something like
|sort -"_time"
|sort -"duracion"
index=controlm | eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) by job_member_name limit=20
But neither of those, do what I want.
@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?
1) Simulates your current scenario with Timechart command
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f
2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart
.
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse
PS: Since duraction is HH.MM
I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)
@danielgp89 Can you try the following run anywhere example based on Splunk's _internal index?
1) Simulates your current scenario with Timechart command
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| timechart max(duracion) as duracion by component limit=20 useother=f usenull=f
2) Uses stats to bucket events over time and then chart to transpose as needed. String Time has been used instead of Epoch time to reverse the chart
.
index=_internal sourcetype=splunkd log_level!=INFO NOT (component IN (Periodic*,Metrics*)) earliest=-1d@d latest=-0d@d-1s
| eval duracion=strftime(_time,"%H.%M")
| bin _time span=1h
| stats max(duracion) as duracion by _time component
| eval Time=strftime(_time,"%Y/%m/%d %H:%M")
| chart max(duracion) as duracion by Time component limit=20 useother=f usenull=f
| reverse
PS: Since duraction is HH.MM
I have taken 24 hour data (I have picked Previous Day instead of current time window, so that chart does not change everytime we run query on Splunk's _internal index which is constantly being written)
@niketnilay Thanks so much for your time and response!
That was exactly what I was looking for.
Best Regards!!
Does this work for you:
index=controlm | eval duration=strftime(_time,"%H.%M") | timechart max(duration) as duracion by job_member_name limit=20 | eval duration= duration * -1
Hello @chrisyoungerjds!
I was thinking, what if I change the value of the hour for -1. For example:
from 21.00 to 21.59 = -3
from 22.00 to 22.59 = -2,
from 23.00 to 23.59 = -1,
from 00.00 to 00.59 = 0,
index=controlm | eval duracion=strftime(_time,"%H.%M") | eval hora=case(duracion>="23.00" AND duracion<"23.59", "-1",duracion>="00.00" AND duracion<"00.59", "0",duracion>="01.00" AND duracion<"01.59", "1",duracion>="02.00" AND duracion<"02.59", "2") | timechart max(duracion) by job_member_name
So it going to start from the bottom!
But one of the issues that I have here is that is not working that I expect! Because each time it find a number that match the query the other ones disappear.
Could you help me to land my idea please.
Best Regards!
With my query it appears that you have set the "Format" >
"Y-Axis value" on the chart - which is why its not appearing correctly.
Hello @chrisyoungerjds.
No! Unfortunately that query didn't work.
It keeps the same order of the numbers!
Sorry I had a typo. Try this: index=controlm | eval duration = (_time % 86400) / 3600 * -1 | timechart max(duration) as duration by job_member_name limit=20
I was thinking the same thing, but I don't think that he will go for it. Let's just wait for @niketnilay to show up with a full answer.
😄 @woodcock Done!!!
haha 🙂
Also @danielgp89 your time conversion is a bit dodgy. You should probably do this:
index=controlm | eval duration = (_time % 86400) / 3600 * -1 | timechart max(duration) as duration by job_member_name limit=20