Splunk Search

timechart for "concurrent users per 5 minute bucket" for a month is not displaying

minted
New Member

I'm using a timechart to show the "concurrent users per 5-minute bucket". This works when I chart it for one day or one week, but when I chart it for a month, I just see a flat line at 0. Maybe it's because there are too many buckets. How else would I get this to display?

host="web*.p1.dfw.minted.com" (source="/srv/minted/logs/app-requests.log" OR source="/srv/minted/logs/app-requests.log-*") | jsonkv | search NOT isnull(visitor_id) | bucket _time span=5m | timechart span="5m" dc(visitor_id) as visitors
0 Karma
1 Solution

MillerTime
Splunk Employee
Splunk Employee

I believe timechart currently has a limit of 1000 data points on the x-axis, so you're most likely going over that limit (as of Splunk 4.2.3). The max number of days you'll be able to display on a timechart with a 5min resolution will be ~3 days (865 5-minute buckets). Using a span of 45m will get you close to the best resolution possible at 30d without hitting that limit (45m windows for 30 days = 961 buckets out of a max of 1000).

Consider increasing your bucket span to a larger interval like 45 or 60m in order to display 30 days worth of data in a timechart.

Also, if you're reporting over long time ranges like 30 days, you should probably look into Summary Indexing to speed up the time to search and generate reports. I've listed helpful links on Summary Indexing below:

Here's some info on Summary Indexing:
Video: http://www.splunk.com/view/SP-CAAACZW
Docs: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes
More: http://www.splunk.com/wiki/Community:Summary_Indexing
External Reference: http://www.davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/

I'll also just mention that if each data point has a width of one pixel, and your average computer monitor can only fit 1080 pixels across the width (1080p), then you're going to run into that 1000 x-axis datapoint limit even if we did increase the maximum. Even my fancypants 30" monitor can only display 1600 pixels across, so I wouldn't be surprised if this remains limited until we get 4320p monitors or figure out how to split pixels 😉

View solution in original post

lukeh
Contributor

I had a very similar requirement... you just need to bucket into 5 minute increments then bucket again into a larger window (eg. 1 hour) and calculate the average over than span:

host="web*.p1.dfw.minted.com" (source="/srv/minted/logs/app-requests.log" OR source="/srv/minted/logs/app-requests.log-*") | jsonkv | search NOT isnull(visitor_id) | 
bucket _time span=5m | stats dc(visitor_id) as visitors by _time | bucket _time span=1h | timechart span=1h avg(visitors) as avg_visitors

All the best,

Luke 🙂

0 Karma

MillerTime
Splunk Employee
Splunk Employee

I believe timechart currently has a limit of 1000 data points on the x-axis, so you're most likely going over that limit (as of Splunk 4.2.3). The max number of days you'll be able to display on a timechart with a 5min resolution will be ~3 days (865 5-minute buckets). Using a span of 45m will get you close to the best resolution possible at 30d without hitting that limit (45m windows for 30 days = 961 buckets out of a max of 1000).

Consider increasing your bucket span to a larger interval like 45 or 60m in order to display 30 days worth of data in a timechart.

Also, if you're reporting over long time ranges like 30 days, you should probably look into Summary Indexing to speed up the time to search and generate reports. I've listed helpful links on Summary Indexing below:

Here's some info on Summary Indexing:
Video: http://www.splunk.com/view/SP-CAAACZW
Docs: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes
More: http://www.splunk.com/wiki/Community:Summary_Indexing
External Reference: http://www.davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/

I'll also just mention that if each data point has a width of one pixel, and your average computer monitor can only fit 1080 pixels across the width (1080p), then you're going to run into that 1000 x-axis datapoint limit even if we did increase the maximum. Even my fancypants 30" monitor can only display 1600 pixels across, so I wouldn't be surprised if this remains limited until we get 4320p monitors or figure out how to split pixels 😉

MillerTime
Splunk Employee
Splunk Employee

Timechart does take optional span and bin arguments: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart. However, the problem you're facing is the 1000 data-point limitation of timechart (also a limitation of 1080p resolution). If you need 5-minute buckets, then you are limited to a 3-day total range of the timechart.

0 Karma

minted
New Member

Thanks, I'm using summary indexing already but simplified it out of the question. 🙂

My goal is to measure "concurrent users within 5 minutes". If I used a span of 45 minutes, then it would be measuring "concurrent users within 45 minutes", which would be 9 times greater.

For example, if I know that over a specific hour, there were roughly 1000 concurrent users for each 5-minute bucket, then the span of 45 minutes could be as high as 9000 users.

I hypothesized that there's a way to use "stats" to bucket by time, but I couldn't get this to work with "timechart". Can you help me?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...