Min/Max of Time Axis on Timechart Does Not Always ...

puladamscom · ‎05-08-2014

If you perform a query that returns events that do not hit the left or right "edge" of your specified time range, and then timechart these events, the timechart axis starts and ends with the first and last event rather than the earliest/latest clause you specified in your query.

I would expect the timechart scale to "honor" the query time range.

It is an infuriating problem for those who want multiple timecharts on a dashboard as the scale on the various charts may not tally.

To illustrate, here is a rather contrived example you can run yourself

The below simulates a query over the last day in which all returned events fell within the middle 12h of that day - i.e. nothing during the first/last 4h

index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| timechart span=5m count

Notice that the timechart's x axis starts and ends with the first/last datapoint - in other words it only shows the "populated" 12h rather than the whole 24h.

Now for the inelegant workaround. It appears that timechart suddenly DOES honor your timerange if you put a reporting command BEFORE the timechart, for example

index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| bucket span=5m _time
| stats count BY _time
| timechart span=5m avg(count)

I currently use this as a workaround, but it is artificial and confusing for maintainers.
Anyone know of a more elegant fix?

puladamscom · ‎10-08-2015

@aferone I still don't know of a proper fix, but I habitually use the following workaround.

First, to recap the problem demonstrator query - it looks back over 24 hours but throws away all but the "middle" 12h of the period. The defect causes the scale bounds to "snap" to the data extents ....

index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| timechart span=5m count AS tally BY host

Adding the following two lines resolves that issue. You can slap these lines onto any problem query and it will do the same for you. Only thing is that you must stipulate the same span value as the first timechart, but otherwise it is totally reusable as-is...

...
| untable _time series value
| timechart span=5m first(value) BY series

aferone · ‎10-07-2015

Did this ever get resolved? I had the same question here:

https://answers.splunk.com/answers/108958/inconsistent-behavior-with-timechart-and-today-timeframe.h...

Thanks.

puladamscom · ‎05-08-2014

I have found a similar complaint (http://answers.splunk.com/answers/96869/timechart-yesterday-forced-to-display-full-24-hours)
This guy's workaround is a bit better than mine, which is to stick a fillnull just before the timechart.
So this
index=* earliest=-1d latest=now | head 1 | timechart span=1h count
becomes
index=* earliest=-1d latest=now | head 1 | fillnull value=NULL | timechart span=1h count

sansay · ‎01-20-2015

The problem with "fillnull value=NULL" is that it changes my search completion time from 10 seconds to 3 minutes.
Therefore that's not a good workaround.
The only one that works for me is using stats before timechart.
Anyway, I put in a bug report for this issue.

BenjaminWyatt · ‎05-08-2014

What about the fixedrange option for timechart? From the docs page (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart?r=searchtip)

fixedrange
Syntax: fixedrange=
Description: (Not valid for 4.2) Specify whether or not to enforce the earliest and latest times of the search. Setting it to false allows the timechart to constrict to just the time range with valid data. Default is True | T.

I know in the latest version of Splunk this defaults to True, but if you're not on the latest version of Splunk, then it might not be set to "true" by default. I've had similar issues, and this has fixed the issue.

puladamscom · ‎05-08-2014

I am on version 6.0.1 so pretty recent. The fixedrange=T promises to solve my issue, but doesn't deliver
To illustrate, the following query still fits the x axis to the data
index=* earliest=-1d latest=now | head 1 | timechart fixedrange=T count
So I guess this is a Splunk bug then

linu1988 · ‎05-08-2014

even if you don't use the stats and bucket it will show you the time interval you want in the timechart. If you don't mention the span it is showing one data point that you are correct.

puladamscom · ‎05-08-2014

@linu1988 I don't have an issue with the allowable number of datapoints on a chart, nor the span.
If you run this query:
index=* earliest=-1d latest=now | head 1 | timechart count
You'll see the x axis does not cover the whole day; it just "fits" to the one datapoint returned

linu1988 · ‎05-08-2014

Hello,
It's because of the limitation on the JS and Flashchart. Take a look at this post. If you don't put the span then timechart will smartly adjust the values.

Max Values Timechart Handles

Thanks

puladamscom · ‎05-08-2014

Can't seem to edit my question to get rid of a formatting gremlin. The queries should have been:

index=_audit earliest=-1d latest=now
| where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20)
| timechart span=5m count

..... and .....

index=_audit earliest=-1d latest=now
| where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20)
| bucket span=5m _time
| stats count BY _time
| timechart span=5m avg(count)

Min/Max of Time Axis on Timechart Does Not Always Reflect Query Time Range

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!