Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Realtime graph time axis

vbumgarner
Contributor
‎05-06-2011 01:34 PM

Is there any way to tell a realtime graph to always show the last hour, even if there is only data for a small part of that time?

To make things more interesting, this is a FlashChart in a PostProcess in an advanced xml dashboard, so fixedrange doesn't work.

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎05-06-2011 04:07 PM

UPDATE:

Indeed the earliest/latest bounds of the search appear to not survive the freezing process. So when the postProcess timechart gets to it, it implicitly snaps in around the actual data.

Here's one weird thing you might try. It adds 2 extra phantom events into any search. One whose _time value is the info_min_time, one whose _time is the info_max_time. If you add this to your base search theoretically it'll force the postProcess to keep the original bounds.

<your search> | append [
stats count | eval earliest=1 | addinfo | transpose
| search column="info_min_time" OR column="info_max_time"
| rename "row 1" as value
| eval _time=if(match(column,"info_max_time"),value,_time)
| eval _time=if(match(column,"info_min_time"),value,_time) ]

PREVIOUS ANSWER:

I assume you're not using timechart? Because timechart will always leave empty leading and trailing buckets, even when there's postProcess involved. So either you're doing stats foo by _time manually or there must be something else going on.

Can you paste in the search you're using?

0 Karma
Reply

vbumgarner
Contributor
‎05-06-2011 05:42 PM

This is indeed an oversimplified example. bar is referenced in the initial query, so it does work. The only problem is that the timechart has a timeline exactly scaled to the events seen, not the last hour.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-06-2011 05:35 PM

That doesnt seem right. At least when you split this up into a base search and a postprocess search, Splunk wont extract the 'bar' term cause it doesnt know anyone cares about 'bar'. maybe this is an oversimplified example?

0 Karma
Reply

vbumgarner
Contributor
‎05-06-2011 05:07 PM

Search module with a search of foo, earliest of rt-1h, latest of rt.
PostProcess module with a search of |timechart span=1m count by bar.

If I run the full query in Advanced Charting, it works as expected.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...