I have a timechart covering data from every 10 minutes. If I look at the last 24 hours, that would generate 144 bins. The docs say that timechart defaults to
bins=300. This finds the smallest bucket size that results in no more than 300 distinct buckets.
As I have fewer than 300 buckets, I would expect that it would represent the data with 144 buckets covering ten minute intervals. In reality, though, it's summarizing to every 30 minutes. I could force the issue with bins=144, but then that becomes problematic if the user switches the timepicker to 4 hours (gaps), or 48 hours (less accurate).
How can I make Timechart use all the way up to 300 bins, without destroying the graph at other time windows?
It seems like 300 is not actually the default.
I just ran a test search, and indeed it seems to bucket too low -- last 24 hours gets 49 buckets of 30mins each.
However when I add bins=300
to the same timechart clause, suddenly I get 293 buckets of 5 minutes each.
<your search> | timechart count bins=300
It seems like 300 is not actually the default.
I just ran a test search, and indeed it seems to bucket too low -- last 24 hours gets 49 buckets of 30mins each.
However when I add bins=300
to the same timechart clause, suddenly I get 293 buckets of 5 minutes each.
<your search> | timechart count bins=300
Here's the implementation of this method, using sideview_utils to dynamically size the number of bins for timechart. Note: for anyone who might stumble upon this -- it is reasonably complex, not for the brave of heart, and should be tested extensively.
the connect option wont help you because there literally is a datapoint at zero. Connect will only draw a connection across null points. It's expected, it's just a fact of life when there's only so much granularity in the actual data. You could use svutils to embed a customBehavior in JS whereby it outputs a span="30m" / span="10m" term as appropriate, but I'm not sure it'd be worth the extra surface area.
Hmm. I wonder if its just specific to my data, but when I do bins 300, I also get 5 min intervals -- except I only have data every 10 min, so I get data point, then null, then a datapoint, creating a ton of valleys. Is this expected, and I should address it with the connect option? It seems like it should be able to bin up to that number (in case I have 7 days of data), but have it just use the minimum reasonable bucketing for 4 hours of data.