How to change timechart axis?

corehan · ‎04-19-2022

Hello dears,

How can i change timechart _time axis y to x ?

<base search>  | timechart span=1h sum(REQUESTNAME) as Sikayet count by ilce |sort -count | untable _time Xaxis Yaxis |where Yaxis > 3

Regards

corehan · ‎04-25-2022

Finally here is my query which i want;

Fyi..

ITWhisperer · ‎04-19-2022

| xyseries Xaxis _time Yaxis

VatsalJagani · ‎04-19-2022

@corehan - Why you are using untable command?

By default timechart command put _time on the X-axis. Please try removing stuff after sort command and see if you get what you need.

-----
I hope this helps!!! If it does consider upvoting!!!

corehan · ‎04-19-2022

Thank you for suggest but i can't found, how can i put the _time to x axis command..

Regards.

Final search;

<base search> | timechart span=1h count(REQUESTNAME) by ilce |sort -count

Also i need to set threshold value like count >3 in this scenario.

VatsalJagani · ‎04-19-2022

@corehan - Since you are using timechart command with groupby, your Y-axis field name is not the "count".

If you look at the results it's not one-dimensional results here. So if you want to filter for those for which the total count is not greater than 3 then you can use the following search:

<base search>  | timechart span=1h count(REQUESTNAME) by ilce 
| transpose
| addtotals
| search Total>3
| fields- Total
| transpose header_field=column
| fields - column

Please post the screenshot of the result if this does not work.

corehan · ‎04-19-2022

Hello,

I changed the query but i doesn't work;

How to change timechart axis?

timechart

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio