Splunk Search

Search Timeline

motobeats
Path Finder

Can the granularity of the default timeline on the Search page be changed? Looks like it is optimized for speed depending on time span.

Right now I am searching over months and the granularity is 1 bar = 1 day. Any way to drop this to 1 bar = 1 hour?

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

There is. The best way to play around with it, is to go to "Manager > User Interface > Views", find the 'flashtimeline' view, and click "clone". Give the cloned view a name like "flashtimeline_custom", and then in the big textarea that's full of XML, scroll down a bit until you find this:

<module name="FlashTimeline" layoutPanel="graphArea">
  <param name="height">95px</param>
  <param name="width">100%</param>

and add a "statusBuckets" param, set to a value of like 600.

<module name="FlashTimeline" layoutPanel="graphArea">
  <param name="height">95px</param>
  <param name="width">100%</param>
  <param name="statusBuckets">600</param>

StatusBuckets is actually a fairly low-level API argument to the splunk search API, but the bottom line is that this is the guideline given to Splunkd as to the maximum number of buckets of equal length, into which it should summarize the eventdata. There's a lot to know about status_buckets, but 1) the FlashTimeline module's default value is 300, 2) the search will run a bit slower with higher values, 3) in views that do not have a FlashTimeline module, it is almost always set to 0 or 1. 4) you probably shouldn't set it to anything higher than 1000 but if you do you might have to also set the "maxBucketCount".

Anyway, play around with that cloned copy of the view. Note that until you muck with the "permissions" link in Manager and share it with others, only your user account will be able to see that view.

View solution in original post

sideview
SplunkTrust
SplunkTrust

There is. The best way to play around with it, is to go to "Manager > User Interface > Views", find the 'flashtimeline' view, and click "clone". Give the cloned view a name like "flashtimeline_custom", and then in the big textarea that's full of XML, scroll down a bit until you find this:

<module name="FlashTimeline" layoutPanel="graphArea">
  <param name="height">95px</param>
  <param name="width">100%</param>

and add a "statusBuckets" param, set to a value of like 600.

<module name="FlashTimeline" layoutPanel="graphArea">
  <param name="height">95px</param>
  <param name="width">100%</param>
  <param name="statusBuckets">600</param>

StatusBuckets is actually a fairly low-level API argument to the splunk search API, but the bottom line is that this is the guideline given to Splunkd as to the maximum number of buckets of equal length, into which it should summarize the eventdata. There's a lot to know about status_buckets, but 1) the FlashTimeline module's default value is 300, 2) the search will run a bit slower with higher values, 3) in views that do not have a FlashTimeline module, it is almost always set to 0 or 1. 4) you probably shouldn't set it to anything higher than 1000 but if you do you might have to also set the "maxBucketCount".

Anyway, play around with that cloned copy of the view. Note that until you muck with the "permissions" link in Manager and share it with others, only your user account will be able to see that view.

sideview
SplunkTrust
SplunkTrust

If you're playing around with the Advanced XML, you should check out Sideview Utils. Your XML will be much shorter, less nested, you'll see the same conventions in effect over and over again so you have less to learn, and Sideview Utils has a huge set of docs pages with working examples, embedded right into the app itself.

The biggest testament though, is that anyone who's spent significant time with just core advanced XML, and then switched to Sideview Utils, expresses some form of "omg i have no idea how I was getting anything done before".

http://sideviewapps.com/apps/sideview-utils

0 Karma

motobeats
Path Finder

Thanks. Display seems really customizable. Is there documentation on what the fields all mean? I was able to figure out most in the xml but for a few, I could not tell what was changing.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...