Re: Timechart /Timewrap - change in the x axis

Veeruswathi · ‎06-18-2018

Hi all,

I am using the timechart graph to represent number of apples every week over last 28 days and compare it to previous other weeks using timewrap command , The problem here is i see that the latest dates and weekdays (Eg:Sun Jun 10) are visible on xaxis. Is there any possiblity that i get on week days (Eg: Sun) instead of date??

Any help on this would be much appreciated.

Thanks,
Swathi

niketn · ‎06-23-2018

@Veeruswathi, you can try the following run anywhere search.

index=_internal sourcetype=splunkd log_level!=INFO earliest=-28d@d latest=now
| timechart span=1d count as ERROR
| timewrap 1w
| eval Time=strftime(_time,"%a")
| field - _*
| table Time *

_time field is removed and retained columns are Time (as first column) followed by other fields created by timechart followed by timewrap commands.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Sukisen1981 · ‎06-23-2018

something like this?index="_audit" | timechart count | eval time=strftime(_time, "%a") | fields time,count | fields - _time

I am not clear on your requirements but use this code as it is(sine this runs on the default _audit index it will give an output for you as well), the x axis will come only as day names. I do not understand however how just having the day names help you in this case, however that is your use case

Veeruswathi · ‎06-20-2018

Any help on this would be much appreciated

Timechart /Timewrap - change in the x axis

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases