Time range of timechart changed after upgrade to v...

OL · ‎01-28-2013

Hello,

I have noticed a different behaviour in Splunk 5.0.1 when comparing with Splunk 4.3.x with the timechart search command.

For a graph showing the last 4 hours of data, in Splunk v4.3.x, if I didn't have any data for the past hour, it was showing me a time range of 4 hours with data only in the first 3 hours.
In Splunk v5.0.1, if I don't have any data for the past hour, it will show me only a time range of 3 hours and ignoring the past hour. For most of my graphs, this is not the desired behaviour.

I tried to play with the "fixedrange" parameter by forcing it to True, but this didn't change anything.

Would anyone know how to force timechart to display the whole selected time range even if we don't have any data?

Regards,

Olivier

OL · ‎06-28-2013

Hello,

The problem was with Splunk 5.0.1 and has been corrected in 5.0.2+. I don't know the version you have but might be useful to check it.

Regards,
Olivier

sansay · ‎01-14-2015

It seems that this issue is back with version 6.
I have tried a lot of different ideas to make timechart show the complete time range. The only one I found is adding records using gentime, like this:

earliest=-24h@h latest=now index=your_index transaction amount | append[ gentimes start=-1 increment=1h ] | timechart span=1h sum(dollars) fixedrange=true

But the search takes anywhere between 3 and 4 minutes to complete, whereas without gentime, it will take only 10 to 15 seconds

pvols1979 · ‎06-28-2013

I have also attempted the fixedrange setting with no positive results. I am wondering if there is anything we can do with the XML directly.

Time range of timechart changed after upgrade to version 5.0.1

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor