Show time in minutes on the Y axis

yrajabi1 · ‎02-27-2013

Hello, I have a set of data that I have shared below that I am charting with a line against the source. I cannot get the time(in minutes) to be on the Y axis. Any advice would be appreciated.

index=advantage sourcetype=searchtimes source="build." | transaction startswith="About to start Index Build" endswith="Time taken for index build"| eval timedur= (duration)/60 | convert timeformat=%M:%S ctime(timedur) | chart first(timedur) by source

1 C:\SPLUNK\build.log.20130217 02:01
2 C:\SPLUNK\build.log.20130218 02:04
3 C:\SPLUNK\build.log.20130219 02:05
4 C:\SPLUNK\build.log.20130220 02:08
5 C:\SPLUNK\build.log.20130221 02:12
6 C:\SPLUNK\build.log.20130222 02:09
7 C:\SPLUNK\build.log.20130223 02:15
8 C:\SPLUNK\build.log.20130224 02:10
9 C:\SPLUNK\build.log.20130225 02:16

In my XML I have this..
P0Y0M0DT0H15M0S
P0Y0M0DT0H0M0S
line
1

Thanks!!

davecroto · ‎02-28-2013

When I run this timechart the graph brakes the "x axis" into minutes.

index=_internal earliest=-1m |timechart span=60s count by group

You are specifying a line chart. If you want to show minutes or time on the y axis, would it make sense to use a column instead of a line?

davecroto · ‎02-28-2013

Maybe this example makes more sense. In a column of course

index=_internal earliest=-1m |eval desired_time=strftime(_time, "%I:%M:%S %p") |chart count by desired_time

Show time in minutes on the Y axis

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases