Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart without a split clause not showing all results

hartfoml
Motivator
‎03-05-2012 08:48 AM

I have a search showing 288 results but the chart is not showing them all

I know timechart has a "limit" switch but it only works if you have a split-by-clause

Here is my code | timechart span=1d avg(field_Number)

this returns 288 days with a number for avg(field_Number) and a new number is added every day.

I would like a chart that shows all the days on the chart.

I am also trying to add a trend line with a look ahead to the timechart.

Thanks for any help.

Mike H.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hartfoml
Motivator
‎03-06-2012 08:05 AM

OK Here is the actual search command

index=os sourcetype="df" | rex "T\s+(?<DiskUse>\d+)%" | timechart span=1d avg(DiskUse) AS "Historical % Disk Use" | convert timeformat="%Y%m%d" ctime(_time) AS Date | eval 25%_&_Filling=25 | eval Halfway=50 | eval DecisionPoint=70| table Date "Historical % Disk Use" 25%_&_Filling Halfway DecisionPoint

I run this once a week on a schedule

The results table is as is expected. I could not find a way to upload the tabke so i included several lines here but they are all the same. 281 results one for each day since i started monitoring disk use on the system.

I have attache a screen shot of the graph and it shows that the only thin i see in the graph is the start of recording up to about 40 days or 40 points. not all 281 points are shown.

Chart
Table

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hartfoml
Motivator
‎03-06-2012 08:05 AM

OK Here is the actual search command

index=os sourcetype="df" | rex "T\s+(?<DiskUse>\d+)%" | timechart span=1d avg(DiskUse) AS "Historical % Disk Use" | convert timeformat="%Y%m%d" ctime(_time) AS Date | eval 25%_&_Filling=25 | eval Halfway=50 | eval DecisionPoint=70| table Date "Historical % Disk Use" 25%_&_Filling Halfway DecisionPoint

I run this once a week on a schedule

The results table is as is expected. I could not find a way to upload the tabke so i included several lines here but they are all the same. 281 results one for each day since i started monitoring disk use on the system.

I have attache a screen shot of the graph and it shows that the only thin i see in the graph is the start of recording up to about 40 days or 40 points. not all 281 points are shown.

Chart
Table

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎03-07-2012 09:28 AM

OK great thanks for the help we are planing to upgrad this evening.

0 Karma
Reply
Solved! Jump to solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎03-06-2012 09:28 PM

Ok I see, you're actually using 'table' to plot the results, since it's the last reporting command. In 4.3 there is a limit of 40 results plotted for commands like 'table'.

The good news is that in 4.3.1 we got rid of that limit (although with more than 80 results we hide the x-axis labels to prevent them from crowding), so upgrading to 4.3.1 should get the results you want.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎03-06-2012 08:10 AM

Sorry couldn't figure out the upload for this app

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎03-05-2012 12:36 PM

Sorry I don't think the data like you asked would help but maybe i can explain better.

I have a search that reports one valy per day for 288 days. the days bucket is defined in the span=1d. so I have a tale with one collumb of 288 dates and one collumb of 288 asoceated numbers. when i put this on a graph i only get 100 dates and 100 assoceated numbers. as i understand it this is due to the default "limit" for the timechart function. the "limit" switch can be set to smaller or larger but only if you are useing the by clause like "count by something" or "this by that" so my problem is how to change the defult limit without useing the "by" clause or maybe i sould be useing the 'stats avg(field_number)' rather than the timechart

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎03-06-2012 08:11 AM

I tried as you said to upload but was unable to do so

0 Karma
Reply
Solved! Jump to solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎03-05-2012 10:25 PM

I stil think the screenshots would be helpful.

I don't think the "limit" is the problem here. It should only apply when you are using a split-by to create multiple series, and then it limits the number of series not the number of points. With no split-bys you should be able to plot at least 500 points.

The best way to figure this out is going to be by looking at the chart and the corresponding results table so I can track down what's going wrong.

0 Karma
Reply
Solved! Jump to solution

Simon_Fishel
Splunk Employee
Splunk Employee
‎03-05-2012 10:38 AM

Would it be possible for you to post a screen-shot of this? It would help in reproducing if I could see the chart as well as the search results in table form, so I can tell what is not being plotted. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...