Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"Gaps" in Timechart

twkan
Splunk Employee
Splunk Employee
‎08-10-2011 09:44 PM

Hello everybody,

I'm trying to do a timechart using a 3 day timeframe, for example from Jul 17 2011 00:00:00 to Jul 20 2011 00:00:00. The search querty is simple, and it is:

 sourcetype=access_combined | timechart count by uri useother=f usenull=f

The timechart will start rendering in reverse chronological order, which is the normal behavior. During the rendering of the timechart, there seems to be some "buffer" limit which prevents the entire graph to be rendered, and you would actually see 'gaps' in-between where the graph is supposed to be.

If I change the timeframe to e.g. 1 week, the "gaps" would actually expand accordingly as well. I've tried playing around with span and bins as well, but it doesn't seem to help in this case.

If I set the timeframe to 1 day, everything works well. I know Summary Indexing may help me to get around this, but the question is really to shed some light on this.

This was tested on 4.2.1, 4.2.2 and 4.2.3 under Linux 64-bit.

Thanks for any suggestions.

Screenshot

link text

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎08-25-2011 08:37 AM

how many distinct uri's are you expecting to get in those 3 days?

try increasing in limits.conf

[stats]
maxresultrows = 50000

try upping it to 500,000 and see what happens.

View solution in original post

Reply
Solved! Jump to solution

eamuncal
Explorer
‎09-07-2011 04:23 PM

Hi:

We resolve this by doing two things.

  1. Using a bigger span(span=1h for a 24H timerange). No set of rules here. Just playing with the span to lessen the gap.
  2. Adjusting values in limits.conf. 50000 were changed to 50,000,000, for example. As per steveyz suggestion.

Thanks twkan for the post.

Good day!

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎08-25-2011 08:37 AM

how many distinct uri's are you expecting to get in those 3 days?

try increasing in limits.conf

[stats]
maxresultrows = 50000

try upping it to 500,000 and see what happens.

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-04-2014 01:17 PM

I'm seeing the same issue but using (over last 24 hours):
timechart span=30min avg(field1) avg(field2).

Just like in this case, driving into the gap periods I see the data does exist. Updating the limits has not fixed it.

Anyone have any other ideas?

0 Karma
Reply
Solved! Jump to solution

twkan
Splunk Employee
Splunk Employee
‎08-29-2011 04:52 PM

Hello Steve,

Thanks, I wil pulling about 420,000 events for the past 3 days and increasing the limits to 500,000 does help to solve the issue.

0 Karma
Reply
Solved! Jump to solution

twkan
Splunk Employee
Splunk Employee
‎08-10-2011 10:49 PM

Thanks Nick for the help. Yes, it did occur that there could be a possibility the values of the "uri" are not in the Top 10, and hence we are getting 0 results for it.

I have tried to omit out usenull=f and useother=f and re-ran the search, and you can see that the gap still persists.

Screenshot

Enlarge Image

Screenshot

Enlarge Image

In my sample data set, the gap exists from 17 Jul 12:00:00 till 18 Jul 11:00:00. I have tried to create another search with that specific timeframe, and the results can be seen below with no gaps in between.

So the issue seems to compound itself when we tried to timechart thru a longer timeframe for some reasons.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎08-10-2011 09:58 PM

I'm not sure if this is causing it, but 'useother' and 'usenull' can lead to problems if you dont understand what they do. Setting those to 'f' will just omit NULL and OTHER from the output. However if a given time bucket has ONLY null values or only 'other' values, then you'll just get no data at all during those buckets. In other words if those timebuckets have relatively low volume, and they only contain values of uri that are not in the top 10 overall, then you'd get exactly what you're seeing here.

If you havent already tried it, I would try it again without those useother/usenull arguments, or generally look for something distinctive about the data in the badly-behaving time buckets.

Also, be aware that during the 'preview' stage, the granularity of the timechart will change several times. It's maybe possible that what you saw was just the buckets of a lower-level granularity.

But if it's neither of those, then I would send it into support@splunk.com so they can help you diagnose the system more deeply.

Reply
Solved! Jump to solution

twkan
Splunk Employee
Splunk Employee
‎08-11-2011 03:21 AM

Hmm, interesting. If i tried to use ...timechart count by clientip, or count by status, or count by eventtype the graphs are totally alright with no gaps. So it seems like the field uri and perhaps others (haven't had the chance to try all of them yet) is causing the issue...

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...