Splunk Search

How to dynamically change the span parameter for a timechart?

vdevarayan
Path Finder

I have a dashboard panel that will display all events (for a given search)
The result set may contain 100 or 10,000 events (assume one event for every second).
If it is just 100, i would like to have span=1s.
If it is 1,000, then i would like to have span=1m

How to dynamically change the span parameter in this scenario?
Basically, how to find out the best timespan so that it fits inside the 1000 event limit imposed by Splunk to avoid truncation happening?

thanks

Tags (2)
1 Solution

laserval
Communicator

One option is to use bins=1000, which will divide the timechart into up to 1000 buckets. See http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart#Optional_arguments

Is this what you are looking for?

View solution in original post

laserval
Communicator

One option is to use bins=1000, which will divide the timechart into up to 1000 buckets. See http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart#Optional_arguments

Is this what you are looking for?

benton
Path Finder

I downvoted this post because sadly this does not work as expected. bins=1000 means that splunk will determine some arbitrary number of bins that is less than 1000.

0 Karma

gfuente
Motivator

I downvoted this post because incorrect answer, bins option just define a maximun number of bins, no the target number.

0 Karma

gfuente
Motivator

I valid solution is:

index=main | timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

The subsearch calculates dinamically the maximum period in sec, to get 1000 bins

Regards

markthompson
Builder

I agree with you.

Bins is the only argument that I can see for the timechart command that will be ideal for your situation.

35 should be good if you require about a month span.

0 Karma

vdevarayan
Path Finder

I tried the following and getting unexpected results.

Here is my query:
searchquery | timechart bins=10 avg(responseTime)

I expect the x-axis to be divided into 10 bins/sections. In other words, if i use a bar/column chart for visualization, i expect 10 bars. However, I see only 3 bars.
Is my understanding/expectation incorrect?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...