Splunk Search

Timechart: How can I chart actual time vs. actual values

proletariat99
Communicator

Hi,
I am trying to chart a value over time, and the value may occur every few seconds, once per hour, once per day or with other varying amounts of frequency. An example event might look like this:

index=app_index
sourcetype=appname
source=applog
user=username
mycount=84
_time= 5/19/14 12:38:18.000 PM 

And I would like to chart _time vs. mycount.

Unfortunately, timechart only seems to want to play nicely with a) spans of time and b) statistical metadata about my value (for instance: max(mycount) or avg(mycount) instead of just value(mycount)).

Again, what I would LIKE to see is a timechart of mycount (y-axis) with the exact time when it occurred (x-axis). If I make my span=1m or smaller, Splunk can't handle the load and I don't need that level of granularity at all times for all sources, only for those that have high frequency of occurrence.

Is there any way to get around "span=" for timechart? Is there any way to timechart value(mycount) rather than timechart max(mycount) for peaks and timechart min(mycount) for valleys?

Looking at these time series charts in buckets and using metadata is horrifically misleading when you have frequency-oscillating data, and I don't feel comfortable providing results on misleading data.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

If you're getting one value per _time then all aggregate functions (avg, min, max, first, last) will give the absolute values.

Also, you can try doing just "| table _time, mycount" instead of timechart , if the no of events are small (~1000).

Below link provide way to dynamically change the span of the timechart. May be helpful.
http://answers.splunk.com/answers/54434/modifying-timecharts-span-based-on-selected-range

0 Karma

proletariat99
Communicator

Thanks, Bert. I actually read that one already, and I thought he was having a different problem, but I missed the suggestion by the 2nd commenter, which actually answered my question. This works:

index=app_index | rename count as pcount | chart values(pcount) by _time user

Well, Splunk can't timechart more than like 10,000 records, so it doesn't work famously, but it works.

thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...