How does splunk decide time interval for Time Range selected in Time Range Picker.
For Ex- When we select "Last 7 Days" from time range picker and see the graph, the time interval is automatically done to 1 Day!
when we select "Last 24 hours" time interval automatically done to 4 hours!
How does Splunk decide this interval?
Please help me!
Thanks in advance!
The answer depends on what 'graph' you're referring to.
1) If you mean the graph in the default search view that always has green bars, we call that the 'timeline' generally. What determines the granularity there is the status_buckets argument that is sent when the search is first dispatched. The presence of the FlashTimeline module in the XML hierarchy will cause status_buckets to be set to 300.
http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch#POST
It's also a little-known fact that the FlashTimeline module exposes a statusBuckets
param in the XML that you can use to change this from the default of 300.
http://www.splunk.com/base/Documentation/latest/Developer/ModuleReference#FlashTimeline
2) On the other hand if you mean the timecharts that you get when you're using the timechart
command, then the default granularity comes from the timechart
command itself.
Timechart accepts a bins
argument OR a span
argument. Of the two, people are generally more familiar with the span
arg, because its more intuitive to say span=2h
than bins=200
.
However if you specify neither one of those two, the timechart
command will use an implicit default for the bins
param.
The documentation says that the default bins value is bins=300
but based on my observation I think this is incorrect and it's closer to 150. You can test this out by running various searches with timechart count
and then with timechart bins=300 count
, and in some timeranges you'll see a difference.
http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart
by the way, you should be aware that when you're using a 'split by' field in timechart
, make sure to put the bins
and span
args right after the timechart
and not after your split by field. Because if you put these args after the split by field, that tells Splunk that you want to control bucketing on the splitBy field, not on the time axis.... Try it and see because it's kind of cool. Run timechart count by date_minute bins=10
and timechart count by date_minute span=15
to see what I mean.