Splunk Search

What is span, timechart, minspan, and useother doing in my search?

Justin1224
Communicator

Hi,

I'm having trouble understanding some portions of my search, I was wondering if someone could help me out.

Here is my search:

| `tstats` count from datamodel=Web by _time,Web.action span=10m

| timechart minspan=10m useother=`useother` count by Web.action

| `drop_dm_object_name("Web")`

Even after reading the Splunk search reference page for timechart, I still don't really understand what it does. Also, I don't understand what span is doing in the first command and what minspan is doing in the second command. Lastly, I also am unsure of what useother is and what it is doing.

Any help would be appreciated

0 Karma
1 Solution

inventsekar
Ultra Champion

All these info are from splunk docs only. please check them once again and if still any doubts, let us know.
your query is using data models, i think. if you give us some more info about your query, then only we can understand this query better.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/tstats
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Timechart

Use the tstats command to perform statistical queries on indexed fields in tsidx files. The indexed fields can be from normal index data, tscollect data, or accelerated data models.
tstats Grouping by _time
You can provide any number of GROUPBY fields. If you are grouping by _time, supply a timespan with span for grouping the time buckets, for example span='1hr' or '3d'. This parameter also supports 'auto'.
timechart minspan - bin-options
Syntax: bins | minspan | span |
Description: Options that you can use to specify discreet bins, or groups, to organize the information. The bin-options set the maximum number of bins, not the target number of bins. See the Bin options section in this topic.
Default: bins=100
minspan
Syntax: minspan=
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.
useother - Syntax: useother=
Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the .
Default: True

View solution in original post

inventsekar
Ultra Champion

All these info are from splunk docs only. please check them once again and if still any doubts, let us know.
your query is using data models, i think. if you give us some more info about your query, then only we can understand this query better.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/tstats
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Timechart

Use the tstats command to perform statistical queries on indexed fields in tsidx files. The indexed fields can be from normal index data, tscollect data, or accelerated data models.
tstats Grouping by _time
You can provide any number of GROUPBY fields. If you are grouping by _time, supply a timespan with span for grouping the time buckets, for example span='1hr' or '3d'. This parameter also supports 'auto'.
timechart minspan - bin-options
Syntax: bins | minspan | span |
Description: Options that you can use to specify discreet bins, or groups, to organize the information. The bin-options set the maximum number of bins, not the target number of bins. See the Bin options section in this topic.
Default: bins=100
minspan
Syntax: minspan=
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.
useother - Syntax: useother=
Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the .
Default: True

Justin1224
Communicator

Thanks for the help! One thing I don't understand is that useother is supposed to have an = following it correct? So why does the useother in my query have a macro following it? Isn't it just supposed to be either =T or =F?

And unfortunately I don't have any more information about the query, other than the query itself.

Also, I get that the 'by _time' is grouping by the field '_time', but what is the 'Web.action' directly following it doing? Also, the span=10m groups by the field _time for every 10 minute, correct? If that's the case, when does it stop grouping? There's millions of different 10 minute periods within a few years time, there's no way it can aggregate by each of those.

Lastly, I don't understand the description for what timechart minspan does. Could you try to describe it in simpler terms?

Thank you for your help

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The useother accepts either t or f (and true or false). Your splunk developer has probably wrote a macro to globally control which value should be used for all the searches (t or f). The macro should be just replacing t OR f value there based on what's has been set.

If you see multiple fields in the by clause, separated by comma or space, the grouping is done by all the fields (order of grouping is defined by the order in which they're specified). The span=10 will update the value of _time into buckets of 10 min ( all events from 00:00:00 to 00:09:59 will get grouped into 00:0:00, all events from 00:10:00 to 00:19:59 will get grouped into 00:10:00 etc).

Splunk can aggregate billions. 🙂

Justin1224
Communicator

Thank you for helping somesoni2.

So it is grouping by the field _time and then aggregating those results by the field action? I'm unsure of what is being counted here. From what I understand it is saying it counts from the data model node that is called "Web" and aggregates these results first by _time field and then by action field. Which means it is performing this count for each 10 minute period and then performs that aggregation for each instance of the field action. I don't think my understanding there is correct. That seems like there would be a ridiculous number of results. Also, I'm completely lost as to what the second command does.

I guess my questions are: Do I have that description for the first command right, what does the second command do, and what is the first command counting.

Thank you for helping

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assume your datamodel has data like this

_time                action             someotherfield
09/22/2016 00:00     action1            blah
09/22/2016 04:00     action2            blah
09/22/2016 11:00     action1            blah
09/22/2016 12:00     action1            blah
09/22/2016 14:00     action3            blah
09/22/2016 22:00     action1            blah
09/22/2016 44:00     action2            blah
09/22/2016 59:00     action3            blah

then |tstatscount from datamodel=Web by _time,Web.action span=10m will give output like this. (time put into 10 min bucket and count is calculated for unique combination of bucketed time and action).

_time                action            count
09/22/2016 00:00     action1            1
09/22/2016 00:00     action2            1
09/22/2016 10:00     action1            2
09/22/2016 10:00     action3            1
09/22/2016 20:00     action1            1
09/22/2016 40:00     action2            1
09/22/2016 50:00     action3            1

The output is good for plotting is chart but the , they wanted to have separate series/y-axis value for each action, so the next command is used.

| timechart minspan=10m useother=`useother` count by Web.action

output:

_time               action1   action2   action3
09/22/2016 00:00     1        1         0
09/22/2016 10:00     2        0         1
09/22/2016 20:00     1        0         0
09/22/2016 40:00     0        1         0
09/22/2016 50:00     0        0         1

Justin1224
Communicator

Hey somesoni2, just to clarify, regarding Web.action, is "action" a field here? And is "Web" a parent node?

Thank you!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes!!!!!!!

Justin1224
Communicator

Great thank you!

0 Karma

Justin1224
Communicator

Sorry to keep bothering you on this question but why is there a minspan=10min the second command? Isn't the span=10m in the first command already separating the time into 10 minute buckets? So why have a minspan=10m? And is useother what's making the table have three different columns?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you don't specify a bucket option (like span, minspan, bins) while running the timechart, it automatically does further bucket automatically, based on number of result. By Specifying minspan=10m, we're ensuring the bucketing stays the same from previous command. You can use span instead of minspan there as well.

In your timechart command, you're using by clause and what it does is it create a column (along with column _time) for each of the value of the field in by clause (Web.action here). Also, by default it shows only 10 columns and groups remaining as 11th field called OTHERS. The option useother=false will remove that OTHER column.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...