Splunk Search

Charting large amount of data points

gnovak
Builder

I have a form that charts some data for me. However it's not charting enough data points for the search I specified. Here's the search and chart from the form.

<row>
<chart>
          <title>Average Response Time Per Day</title>
          <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | timechart span=5m avg(domain_check) as domain_check avg(domain_create) as domain_create avg(domain_delete) as domain_delete avg(domain_renew) as domain_renew avg(domain_transf) as domain_transf avg(update_balance) as update_balance avg(user_login) as user_login avg(user_logout) as user_logout avg(registrar_update) as registrar_update avg(registrar_info) as registrar_info</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.primaryAxisTitle.text">Date</option>
          <option name="charting.secondaryAxisTitle.text">Average Response Time</option>
      </chart>
</row>

If I select the time frame of data to chart to say, 30 days, it only charts 5 days worth of data. It's as if it cannot chart that many data points for 30 days. Is there any way to resolve this issue? I'm checking in the forum for others who might have had this issue as well but figured I'd throw this out there as well.

btw i'm using splunk version 4.2.1

Tags (2)
0 Karma

Ayn
Legend

Yes, there is a limit to how many data points the charting module will accept. The solution in your case would be to drop the "span=5m" argument to timechart so that the amount of datapoints will be automatically chosen to something that is suitable to chart.

0 Karma

gnovak
Builder

Yes, I tried taking the span=5m out as well. Splunk scales the chart based on the time frame. It's not as detailed, but still does the job. I am wondering if there is a way to click on a spike in the chart and then have splunk rechart again based on where I clicked. I'll research this. Thanks for the feedback.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...