how can we give a custom dynamic value for x-axis in the search?
i know we can change it manually in the format tab - x-axis
but i want that to be generated dynamically from the search.
Thanks
Try this:
<yourSearch> | bin span=20m _time| eval Time=strftime(_time,"%H:%M") | stats field BY Time | rename Time as [| makeresults | eval str=strftime(_time,"\"%m/%d\"") |return $str]
The subsearch should produce mm/dd of the date you run the search on and display as the X-Axis label
Try this:
<yourSearch> | bin span=20m _time| eval Time=strftime(_time,"%H:%M") | stats field BY Time | rename Time as [| makeresults | eval str=strftime(_time,"\"%m/%d\"") |return $str]
The subsearch should produce mm/dd of the date you run the search on and display as the X-Axis label
close enough!
but if i do a search for 9/13. it should show me 9/13 for the x-axis
Ah, yes. Replace | makeresults
with an event-generating search then. Example: search index=_internal | head 1
. All you need is one event, otherwise you won't have the correct _time value. Sorry 'bout that!
Can you provide an example? The X-Axis label is usually the name of the field plotted on the X-axis. You could just rename the field...?
yeah, can we get a date to display as field?
@knarayana, can you give your final transforming command which plots Date on x-axis? Also what do you mean by Dynamically field name from search? Can you give details and example?
@knarayana, are you using a Time Picker input control in your dashboard? Or Date for your searches are static?
Also are users supposed to select only one day's data? Or can it be more than a day as well? For example it is it a week's data what would you display as x-axis label?
here is my search
"search" | bin span=20m _time| eval Time=strftime(_time,"%H:%M") | stats field BY Time
x-axis get the label Time.
but instead i want the date like 09/15
This search is limited for only any 1 particular day
Can give an example (made-up) search and let us know what you want your graph to look like, because I don't understand what you are trying to do.
Say, you are running a search like somesearch | timechart sum(field) by someOtherField
, the x-axis label will be "_time", with the appropriate intervals printed along the x-axis. If you add | rename _time as "Date/Time"
, the label will say "Date/Time" instead.
This is exactly what my example looks like.
but x-axis should display the date i run the search for
so, if i do a search for today. x-axis should show me that date(09/15) instead of _time