Splunk Search

How do I change the default granularity on a chart?

dskillman
Splunk Employee
Splunk Employee

How do I change the default granularity on a chart? It appears I'm hitting a limit somewhere and I'm not getting as many results graphed as I would like. Minutes get bubbled to hours and hours to days etc. I would like to force the chart to stay in a "minutes" granularity longer.

1 Solution

sideview
SplunkTrust
SplunkTrust

The bins comment is totally accurate, in that you can use this to raise the maximum number of bins, and thus raise the granularity:

| timechart bins=1500 count

but i think as you've discovered, there's another limit even after you've fixed that, of 250 rows, and that the flash only seems to graph from the first 250 rows even when there are more.

What you're hitting is a 250 row limit on the FlashChart module in the UI itself.

If you're authoring in the advanced XML (which you probably are not), the the FlashChart module takes a param called maxResultCount, which is optional and defaults to 250.

If on the other hand you're authoring in the simplified XML, you can effect the same thing with a charting key:

<option name="charting.data.count">1000</option>

add one of those to your <chart> like so

 <chart>
    <searchString>foo | timechart bins=1000 count by sourcetype</searchString>
    <earliestTime>-6h</earliestTime>
    <latestTime>-0s</latestTime>
    <option name="charting.chart">line</option>
    <option name="charting.data.count">1000</option>
  </chart>

And to show the code in the land of the Advanced XML, you would add this param:

<param name="maxResultCount">1000</param> 

to your FlashChart module. Hopefully that will get you going.

View solution in original post

sideview
SplunkTrust
SplunkTrust

The bins comment is totally accurate, in that you can use this to raise the maximum number of bins, and thus raise the granularity:

| timechart bins=1500 count

but i think as you've discovered, there's another limit even after you've fixed that, of 250 rows, and that the flash only seems to graph from the first 250 rows even when there are more.

What you're hitting is a 250 row limit on the FlashChart module in the UI itself.

If you're authoring in the advanced XML (which you probably are not), the the FlashChart module takes a param called maxResultCount, which is optional and defaults to 250.

If on the other hand you're authoring in the simplified XML, you can effect the same thing with a charting key:

<option name="charting.data.count">1000</option>

add one of those to your <chart> like so

 <chart>
    <searchString>foo | timechart bins=1000 count by sourcetype</searchString>
    <earliestTime>-6h</earliestTime>
    <latestTime>-0s</latestTime>
    <option name="charting.chart">line</option>
    <option name="charting.data.count">1000</option>
  </chart>

And to show the code in the land of the Advanced XML, you would add this param:

<param name="maxResultCount">1000</param> 

to your FlashChart module. Hopefully that will get you going.

gkanapathy
Splunk Employee
Splunk Employee

You can use the bins= parameter on the timechart command. For example:

| timechart bins=1500 count

will attempt to use up to 300 time bins for whatever time range you specify. The time bins will snap to a convenient number (e.g., 15 minutes, 5 minutes, 30 seconds, 30 minutes, etc., but not something like 29 minutes). You could also set a fixed span with the span= option:

| timechart span=1m count

But this will cause an error if your time range covers more than 50,000 seconds (which is over 1 month).

Also note that the UI will only return up to 10,000 results, and it is excessive to graph more than a few hundred bins.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...