Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you make output from xyseries generate the same _time-based X-axis labels as timechart?

Graham_Hanningt
Builder
‎05-02-2016 09:51 PM

The following search:

sourcetype=my_log_type | timechart count by conn_type

generates the chart I want, with one exception: instead of the original conn_type (connection type) values, I want the chart to display more readable, descriptive values.

I want to replace the values after the timechart command. For reasons why, see my comment on a different question.

To rename the series, I append the following commands to the original search:

| untable _time conn_type value | lookup connection_types.csv conn_type output description | xyseries _time description value

This has the desired effect of renaming the series, but the resulting chart lacks the intelligently formatted X-axis values generated by timechart.

How do I reproduce the intelligent X-axis values generated by timechart?

I do not want to hardcode span or bin values: I use this search in a dashboard whose time range might span years or fractions of a second. I want to take advantage of the way timechart chooses a default span based on the time range.

The following screenshots show the original "intelligent" X-axis labels generated by timechart, and the X-axis labels after xyseries:

Splunk screenshots

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎05-02-2016 10:05 PM

What about doing a stats and then a timechart?

sourcetype=my_log_type | bucket _time span=1s | stats count by _time, conn_type | lookup connection_types.csv conn_type output description | timechart sum(count) AS count by description

View solution in original post

Reply
Solved! Jump to solution

ctaf
Contributor
‎07-11-2017 03:04 AM

I personally can not use timechart. Is there a way to do what timechart is doing with xyseries ?

EDIT: I found a solution:

I perform the xyseries, then the "untable", and then the timechart... But it really not efficient and optimized. That would be great to know exactly what the timechart command is doing...

0 Karma
Reply
Solved! Jump to solution
Solution

Jeremiah
Motivator
‎05-02-2016 10:05 PM

What about doing a stats and then a timechart?

sourcetype=my_log_type | bucket _time span=1s | stats count by _time, conn_type | lookup connection_types.csv conn_type output description | timechart sum(count) AS count by description
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎05-02-2016 11:12 PM

Thank you, @Jeremiah! That works for me.

I've removed the span=1soption after reading the docs: bucket (and bin) seem to share the same default spanning behavior as timechart. I've also replaced the bucket command name with bin, because - tell me if I'm wrong - the bin command seems to be the "primary" command (for which bucket is an alias): the Splunk docs topic for bucket refers the reader to the bin topic.

I'd like to convert your comment into an answer so that I can accept it, but I can't see how to do that. I'm guessing I lack the authority - or karma points - for that option to appear in my user interface. Could you (or anyone reading this) please do that for me, or point me to where I can do that myself?

So, pushing timechart to the end of the search solves my problem. I'm still curious, though: timechart seems to be "doing stuff under the covers" (perhaps: generating "internal use only fields" that Splunk "hides" from users?) that I do not (yet?) have the wit to see.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎05-03-2016 10:33 AM

Looks like it is now an answer 🙂 accept away!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...