Solved: A great Charting Problem!

Dark_Ichigo · ‎12-15-2011

I do not understand why Im currently having this problem, I have never had this problem before when creating charts with splunk!

The problem is when using the follwing search to create a chart with span=5m within a Timestamp of a whole Month:

index="INDEX" GET* | timechart bins=50000 span=5m count

I only get three days, and the rest of the days seem to shift to the right of the chart and disappear as it loads!

This is a very weird behaviour, I dont understand why its behaving like this, the flashtime search works fine with all the results for that month, but when creating the chart it doesn't seem to work normally

Takajian · ‎12-15-2011

The maximum points of x-axis is 1000 points in splunk chart. Therefore you will not be able to create monthly report with such a small time span like 5m. Can you change time span to span=1d ? Then you will see whole chart in the month. You will need to adjust them to what you want to see.

View solution in original post

arthurjspencer · ‎03-27-2014

In simple XML you can increase the number of points in a chart by including.

5000

Takajian · ‎12-15-2011

The maximum points of x-axis is 1000 points in splunk chart. Therefore you will not be able to create monthly report with such a small time span like 5m. Can you change time span to span=1d ? Then you will see whole chart in the month. You will need to adjust them to what you want to see.

A great Charting Problem!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases