Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there any way to set a higher default "bins=xxx" for timechart setting?

Richfez
SplunkTrust
SplunkTrust
‎10-13-2014 09:24 AM

I know I can override the default bins=100 in any particular search. Is there any way to set something slightly higher as the default?

Use case: The majority of our timechart based searches bucket reasonably well, but both Weekly and Business Weekly reports should not trigger a bump to the next bin size (daily) and should remain hourly. Unfortunately, I don't wish to have to add "bins=170" or bins="200" to all searches and would like a way to set it as the default, which sounds like a very reasonable knob that ought to be available. I can't find it though.

I can't just set span=1h because the searches may vary between "show me today" to "show me the previous year." I need to keep the dynamic span aspect, just have a few more buckets available before it kicks me into larger buckets.

Reply
1 Solution
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-13-2014 11:57 AM

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100

View solution in original post

Reply
Solved! Jump to solution
Solution

MarioM
Motivator
‎10-13-2014 11:57 AM

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎10-13-2014 01:52 PM

Works perfectly. After double-checking and all that, I added 

[discretize]
default_time_bins = 200

to /opt/splunk/etc/system/local/limits.conf, restarted splunk and now weekly searches default to hourly bins. Perfect.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...