How to set the maximum number of displayed values ...

gschr · ‎10-02-2015

Hi,

The following dashboard contains a search that returns more than 1000 values (3600). I want to visualize all of them, but there is a maximum number of values a Splunk chart can display. The option <option name="charting.data.count">0</option> is supposed to raise this limit or deactivate it (http://docs.splunk.com/Documentation/Splunk/6.3.0/Viz/ChartConfigurationReference).

This option doesn't seem to have effect on the Dashboard in Splunk 6.3.

<dashboard>
  <label>Test charting.data.count</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" | timechart count span=1s</query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">minimal</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.data.count">0</option>
      </chart>
    </panel>
  </row>
</dashboard>

mporath_splunk · ‎11-13-2015

This bug has been fixed in the recent 6.3.1 maintenance release (released on 11/4/15).
Find more information and all bugfixes in the 6.3.1. Release Notes

mporath_splunk · ‎10-02-2015

Hi gschr, it looks like the setting works correctly but the warning message you get is not accurate. On dashboards, you should actually be able to see all results, even though the warning message shows the 1000 data point limit.

Out of curiosity: Is there a particular reason to show this many data points? The reason I'm asking is that at some point you run into a limit in terms of how many data points you can physically display on a screen. There might be better options to visualize this much data.

dmr195 · ‎10-07-2015

The setting works correctly in Splunk 6.2 but not in Splunk 6.3.0. It seems that any attempt to increase the limit above 1000 fails. For example, this also doesn't work in Splunk 6.3.0:

<option name="charting.data.count">50000</option>

You still get the message and the chart is truncated.

Also, whilst I agree that you cannot fit more than about 1000 points on a screen (or maybe 1700 on a standard 1920x1080 monitor taking into account borders), if a limit of 1000 is going to be enforced it should be done by skipping points evenly through the range rather than truncating.

And if this change was a deliberate design for Splunk 6.3 rather than a mistake then the documentation should have been updated.

mporath_splunk · ‎10-07-2015

Thanks for the feedback, dmr195.
Indeed, the truncation message you see in 6.3. is a bug. We already have an open ticket for this.
In our tests the charting.data.count setting works correctly in 6.3.0 both with 0 and 50000 as values. To reiterate, you'll still see the truncation message until we've fixed this. Could you double check that your data is truncated when raising the limit?
Long term, I agree, truncation is not optimal, and an even sampling would be more helpful.

cstarling · ‎11-10-2015

By any chance is there an update on the ticket? I am having the same issue with a very similar graph to dmr195.

mporath_splunk · ‎11-11-2015

Unfortunately I can't give you an exact date. But we've looked into the bug and this should be addressed in one of the upcoming maintenance releases.

gschr · ‎10-03-2015

Hi mporath, thank you for your answer.
Yes, there is a reason for raising limit. The time series I want to plot has some small peaks and sharp edges, that you only see when you have timechart with a span of 1s while most of the time it is quite constant. To get a better overview you want to show periods of about an hour (3600 data points). It seems like there is still much space between the data points when you set the time period in a way only 1000 data points are displayed.

afishkin_splunk · ‎10-02-2015

<option name="charting.data.count">0</option> should not raise any warning

dmr195 · ‎10-07-2015

This is a regression between Splunk 6.2 and Splunk 6.3. Is there already a bug raised for it in Splunk's bug tracking system? Or is it worth reporting to get it fixed?

How to set the maximum number of displayed values in a chart in Splunk 6.3?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes