Refine your search:


I have a form where you can choose a value, a time frame and click Search. The search will run and display a bar graph and table of the results.

The bar graph and table currently are only displaying about a weeks worth of data no matter what time frame you choose. For example, I choose 30 days, I still only get a week graphed and tabled.

However if I click on the "View Results" link under the table or graph, I can see all of the results for the time period specified. Example: Click View Results for 30 days, see 30 days of data graphed and 30 days of data tabled.

How can I get the graph and table to display the right amount of data for the time period I specify on the form? I'm not using timechart and I'm wondering is this the issue? I looked at other forms and some weren't using timechart at all. Here's my code from my form.

 <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | table _time hostname user_login domain_create domain_check domain_renew domain_transf domain_delete registrar_update registrar_info update_balance user_logout</searchTemplate>  
  <input type="dropdown" token="hostname">
   <label>Select Hostname</label>
      <populatingSearch fieldForValue="hostname" fieldForLabel="hostname">index=oxrsping sourcetype=OXRSTEST4 daysago=15 | fields hostname | dedup hostname
   <choice value="*">Any</choice>
 <input type="time" />

       <!-- output the results as a 50 row events table -->
       <option name="charting.chart">line</option>
       <option name="charting.primaryAxisTitle.text">Date</option>
       <option name="charting.secondaryAxisTitle.text">Response Time (ms)</option>

     <option name="showPager">true</option>

asked 25 Jan '12, 12:30

gnovak's gravatar image

accept rate: 18%

One Answer:

well I sorta answered my own question. timechart was the answer.

I changed my search in the form to this:

index=oxrsping sourcetype=OXRSTEST4 | timechart sum(domain_check) as domain_check sum(domain_create) as domain_create sum(domain_delete) as domain_delete sum(domain_renew) as domain_renew sum(domain_transf) as domain_transf sum(update_balance) as update_balance sum(user_login) as user_login sum(user_logout) as user_logout sum(registrar_update) as registrar_update sum(registrar_info) as registrar_info

I was then able to see results for large spans of time. Now I just need to calculate an average time in MS for each field instead of a sum. Onward!


answered 27 Jan '12, 13:20

gnovak's gravatar image

accept rate: 18%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25 Jan '12, 12:30

Seen: 741 times

Last updated: 27 Jan '12, 13:20

Copyright © 2005-2014 Splunk Inc. All rights reserved.