Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Realtime graph time axis

vbumgarner
Contributor
‎05-06-2011 01:34 PM

Is there any way to tell a realtime graph to always show the last hour, even if there is only data for a small part of that time?

To make things more interesting, this is a FlashChart in a PostProcess in an advanced xml dashboard, so fixedrange doesn't work.

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎05-06-2011 04:07 PM

UPDATE:

Indeed the earliest/latest bounds of the search appear to not survive the freezing process. So when the postProcess timechart gets to it, it implicitly snaps in around the actual data.

Here's one weird thing you might try. It adds 2 extra phantom events into any search. One whose _time value is the info_min_time, one whose _time is the info_max_time. If you add this to your base search theoretically it'll force the postProcess to keep the original bounds.

<your search> | append [
stats count | eval earliest=1 | addinfo | transpose
| search column="info_min_time" OR column="info_max_time"
| rename "row 1" as value
| eval _time=if(match(column,"info_max_time"),value,_time)
| eval _time=if(match(column,"info_min_time"),value,_time) ]

PREVIOUS ANSWER:

I assume you're not using timechart? Because timechart will always leave empty leading and trailing buckets, even when there's postProcess involved. So either you're doing stats foo by _time manually or there must be something else going on.

Can you paste in the search you're using?

0 Karma
Reply

vbumgarner
Contributor
‎05-06-2011 05:42 PM

This is indeed an oversimplified example. bar is referenced in the initial query, so it does work. The only problem is that the timechart has a timeline exactly scaled to the events seen, not the last hour.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-06-2011 05:35 PM

That doesnt seem right. At least when you split this up into a base search and a postprocess search, Splunk wont extract the 'bar' term cause it doesnt know anyone cares about 'bar'. maybe this is an oversimplified example?

0 Karma
Reply

vbumgarner
Contributor
‎05-06-2011 05:07 PM

Search module with a search of foo, earliest of rt-1h, latest of rt.
PostProcess module with a search of |timechart span=1m count by bar.

If I run the full query in Advanced Charting, it works as expected.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...