Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to show values of 1 hour increments on the x-axis of the chart?

L064979
Engager
‎01-07-2015 05:11 PM

I have this search string shown below, it is perfect except that it does not show any values of the X-axis of the chart. What i'm wanting is to have hourly increments on the x-axis i.e. 12, 1, 2, etc... Your time is appreciated!

index = ims IMS1 earliest = -90d@d latest = -1d@d 
| eval dow = tonumber(strftime(_time,"%w")) 
| where dow!=0 AND dow!=6 
| eval TDay=strftime(now(), "%F") 
| eval QDay=strftime(_time,"%F") 
| convert timeformat="%Y-%m-%d" mktime(TDay) 
| convert timeformat="%Y-%m-%d" mktime(QDay) 
| eval tdiff=(TDay-QDay)/86400 
| eval new_time=_time+86400*tdiff 
| eval _time=if(isnotnull(new_time), new_time, _time) 
| eval Max_Peak = 20000 
|bin _time span=15m 
|stats first(Max_Peak) as Max_Peak avg(Tran_Count) as Normal_Day perc95(Tran_Count) as tempUpper perc10(Tran_Count) as Lower by _time 
| eval Upper=tempUpper-Lower 
| table _time Upper Normal_Day Lower Max_Peak
| join type=outer _time   [search index = ims IMS1 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS1_Today_AVG]
| join type=outer _time   [search index = ims IMS2 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS2_Today_AVG]
| join type=outer _time   [search index = ims IMS3 earliest = -0d@d latest = now | timechart span=15m avg(Tran_Count) as IMS3_Today_AVG]
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

View solution in original post

Reply
Solved! Jump to solution
Solution

Raghav2384
Motivator
‎01-07-2015 08:26 PM 
I used the same exact search of yours with little modifications.
 1. changed index=main and removed IMS1
 2. Changed the search window from -90d to -24h since (90 day with 1hr will have 2160 datapoints)
 3. changed span from 15m to 1Hr from the timecharts as well as bin _time span=1h and i got an output with 1 hour data points on x axis.

**Recommendations**: change the span from 15 min to 1hr as using 15m intervals of 90 days would generate 129600 datapoints!
Also reduce it from -90d to a smaller set like 7d and see if you get the desired outputs.

Hope this helps!
Thanks,
Raghav

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...