Dashboards & Visualizations

Why does using time range "today" for timechart make it separate into 30 minute intervals?

alanxu
Communicator

My search is:

host=... source = "..."| timechart limit=100 latest(TIME) as Completion_Time

When I make it a week, it goes day by day. However, for "Today" it has 6 rows going from 7am to 930am in 30 minute increments.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

By default, timechart will split your time range into up to 100 buckets, using predefined steps. For 7 days you'd get 168 hours and therefore more than 100 buckets, whole days are the next step up and obviously under 100. For 24 hours you can fit in 48 30-minute buckets, but not 144 10-minute buckets.

You can change that behaviour by either specifying span= directly, or by changing the number for bins= to a different value than 100.

The start at 7am may be related to your timezone vs the server's timezone, depending on what the start of day is. Additionally, depending on the data there simply may be no events that happened before 7am.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

By default, timechart will split your time range into up to 100 buckets, using predefined steps. For 7 days you'd get 168 hours and therefore more than 100 buckets, whole days are the next step up and obviously under 100. For 24 hours you can fit in 48 30-minute buckets, but not 144 10-minute buckets.

You can change that behaviour by either specifying span= directly, or by changing the number for bins= to a different value than 100.

The start at 7am may be related to your timezone vs the server's timezone, depending on what the start of day is. Additionally, depending on the data there simply may be no events that happened before 7am.

alanxu
Communicator

Oh so my span should be span=d

0 Karma

alanxu
Communicator

for 'span=1d' it works for 24 hours but not today... Is there a certain span that would work?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

In what way doesn't span=1d work for Today?

Note, it's pretty pointless to use timechart and forcing it to only use one time bucket. Instead, use stats.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I second this, especially as I read the last part of your comment again. Stats is quite powerful and more efficient as well.

To answer your question, you are probably getting into how the span=1d splits the day. It does so at midnight, so if you run the report at midnight all is well. If you run it at another time, you get two returned values - one for yesterday and one for today. You can likely make your search work "better" in this regard (though be a worse in a lot of other regards, possibly) by snapping your earliest/latest times. See here.

And, while we are still sort of exploring this one aspect of Splunk, I think you may be better off to think about what it is you are generally trying to accomplish and create a new question to ask how to get that done. That will keep this question as one question with one good answer which will help others who search for problems like this.

0 Karma

Richfez
SplunkTrust
SplunkTrust

alanxu,

It may help you to read up on a question I asked a while ago about how to set the default number of "bins" that are available to a somewhat higher number.

I wanted enough that I could see a week at 1 hour increments (by default), which is 168 or more, but I also didn't want to overload anything. I set mine a default at 200, and that gives me the granularity I want. It has worked out very well.

If that answer works for you, give the person who answered it some points by upvoting it: MarioM. He'll appreciate knowing this answer helped yet another person.

alanxu
Communicator

Ah I cant touch the .config file.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Bummer. 😞

I have found the bins=X is likely a better option than span=X, generally. There are advantages and disadvantages to each.

span=X gets you right to where you want to be, but if you change the date/time frame and length it's not flexible. Span=1h works great for 1 week, but isn't so useful for 6 months. If you are building dashboard with no time picker, it can be a perfect fit.

bins=X is more flexible because it sets the upper bound on how many bins Splunk will use so it can adjust within that range and change to fit vastly different time frames, but it can sometimes be difficult to find an X that fits all your needs.

Oh, and listen to martin_mueller. I've become convinced he knows nearly everything. 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...