Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Charting large amount of data points

gnovak
Builder
‎01-30-2012 02:29 PM

I have a form that charts some data for me. However it's not charting enough data points for the search I specified. Here's the search and chart from the form.

<row>
<chart>
          <title>Average Response Time Per Day</title>
          <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | timechart span=5m avg(domain_check) as domain_check avg(domain_create) as domain_create avg(domain_delete) as domain_delete avg(domain_renew) as domain_renew avg(domain_transf) as domain_transf avg(update_balance) as update_balance avg(user_login) as user_login avg(user_logout) as user_logout avg(registrar_update) as registrar_update avg(registrar_info) as registrar_info</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.primaryAxisTitle.text">Date</option>
          <option name="charting.secondaryAxisTitle.text">Average Response Time</option>
      </chart>
</row>

If I select the time frame of data to chart to say, 30 days, it only charts 5 days worth of data. It's as if it cannot chart that many data points for 30 days. Is there any way to resolve this issue? I'm checking in the forum for others who might have had this issue as well but figured I'd throw this out there as well.

btw i'm using splunk version 4.2.1

Tags (2)
0 Karma
Reply

Ayn
Legend
‎01-30-2012 10:22 PM

Yes, there is a limit to how many data points the charting module will accept. The solution in your case would be to drop the "span=5m" argument to timechart so that the amount of datapoints will be automatically chosen to something that is suitable to chart.

0 Karma
Reply

gnovak
Builder
‎01-31-2012 11:30 AM

Yes, I tried taking the span=5m out as well. Splunk scales the chart based on the time frame. It's not as detailed, but still does the job. I am wondering if there is a way to click on a spike in the chart and then have splunk rechart again based on where I clicked. I'll research this. Thanks for the feedback.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...