Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Native Chart Format Limitations

himynamesdave
Contributor
‎11-23-2013 02:20 PM

I'm trying to build a timechart (line graph) over 13 years using a 12 month span.

My search to generate the visualisation looks like this:

sourcetype="ec_com_donations_CSV"| bin _time span=12mon| timechart sum(Value) by Entity_name useother=f limit=6

And produces a line graph (-line) the looks like this:

alt text

If I choose a span <= to 1mon the visualisation shows an adjoining line between points, as intended. However, anything > 1mon, like my search above, the lines disappear.

Why is this? I know this can probably be resolved through XML, but can it be done natively in Splunk (am I missing something obvious!)?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-23-2013 08:30 PM

Check your format options on the line graph. One choice is between the options "Gap", "Treat as Zero", and "Trend". Try different options and see if you get what you want.

Perhaps a better option is to run the search this way:

sourcetype="ec_com_donations_CSV" 
| timechart sum(Value) by Entity_name useother=f limit=6 span=12mon

In your original search, you used the bin command to group the data, but timechart didn't know about the grouping and therefore saw the data as disjoint points. In this version, timechart itself is doing the grouping and therefore should preserve the lines.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-23-2013 08:30 PM

Check your format options on the line graph. One choice is between the options "Gap", "Treat as Zero", and "Trend". Try different options and see if you get what you want.

Perhaps a better option is to run the search this way:

sourcetype="ec_com_donations_CSV" 
| timechart sum(Value) by Entity_name useother=f limit=6 span=12mon

In your original search, you used the bin command to group the data, but timechart didn't know about the grouping and therefore saw the data as disjoint points. In this version, timechart itself is doing the grouping and therefore should preserve the lines.

Reply
Solved! Jump to solution

lguinn2
Legend
‎11-26-2013 07:24 AM

Wow - that's weird. I did actually know that Splunk sees the span option of timechart as somewhat advisory in nature. But I have never seen timechart refuse to create larger time buckets, only smaller ones. (For example, timechart can't show 30 days of data in seconds.) And in recent versions, I have seen Splunk issue a message rather than simply ignoring the option.

0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎11-26-2013 06:52 AM

Thanks for your help.

I managed to solve it by selecting - Format > General > Null Values > Join - using my original search command.

I'm interested to know more about why the "span" command in the search you suggested does not work (this was the search I tried first for this viz). Using "span=12mon" does not group the data into 12 month buckets (it remains in 1 month intervals) - which is why I experimented with the "bin" command.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...