- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to set the X-axis range in a time chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set the X-axis range in a time chart
Hi all,
I am a relatively new user of splunk, so do be patient with me if you think that my questions had been answered before.
Background:
I'm trying to count for events using a timechart but i currently facing a problem in setting a range for the x-axis in the timechart.
I have tried to look for solutions but I think that could not find anything that is similar to mine.
Question:
How do I set the x-axis for the timechart? I tried to run the following query and it does not limit the x-axis range.
index = ["something"] [search for IP address] | timechart span=1hr count by date.
The corresponding results will be
17-02-2017 | 18-02-2017 | 19-02-2017 | 20-02-2017
2017-02-17 06:00
....
2017-02-17 23:00
2017-02-18 00:00
....
2017-02-18 23:00
Is there a command where I can set the X-axis range of timechart to explicitly display from 0600hrs to 2300 without the time chart column going to the next day?
Thank you for your time in looking into my situation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this. This will remove all the results where are before 6AM and after 11PM. The x-axis will adjust accordingly.
index = ["something"] [search for IP address] | timechart span=1hr count by date | where strftime(_time,"%H")>=6 AND strftime(_time,"%H")<23
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this -
index = ["something"] [search for IP address]
| eval myHour = strftime(_time,"%H:%M:%S")
| where myHour>="06:00:00" AND myHour <"23:00:00"
| timechart span=1hr count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you trying to achieve?
If you are trying to only count events that occur between certain hours, across a number of days, then you need to filter that before you feed it into the timechart command.
Also, span=1hr and count by date make no sense at all together.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you are just looking for one day, add earliest=-1d@d latest=@d to the beginning of your search
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
