cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
puladamscom
Explorer
Member since: ‎07-10-2013
‎10-05-2021
Community Statistics
Posts 7
Solutions 0
Karma Given 1
Karma Received 5
Member Since ‎07-10-2013
Activity Feed
View All

Re: Parse the pan+zoom selection $start$ and $end$...

by in Dashboards & Visualizations
‎03-18-2019 07:41 AM
‎03-18-2019 07:41 AM
Alternatively, a neat little trick to avoid the <eval> thing is to avoid the dashes in the x-axis values in the first place. To do that, just change span=5 to span=5s. I know it seems strange but believe me it works - just do it and you will see! ... View more

Re: Min/Max of Time Axis on Timechart Does Not Alw...

by in Splunk Search
‎10-08-2015 01:45 AM
1 Karma
‎10-08-2015 01:45 AM
1 Karma
@aferone I still don't know of a proper fix, but I habitually use the following workaround. First, to recap the problem demonstrator query - it looks back over 24 hours but throws away all but the "middle" 12h of the period. The defect causes the scale bounds to "snap" to the data extents .... index=_audit earliest=-1d latest=now | where _time<(now()-60*60*4) AND _time>(now()-60*60*20) | timechart span=5m count AS tally BY host Adding the following two lines resolves that issue. You can slap these lines onto any problem query and it will do the same for you. Only thing is that you must stipulate the same span value as the first timechart, but otherwise it is totally reusable as-is... ... | untable _time series value | timechart span=5m first(value) BY series ... View more

Re: Min/Max of Time Axis on Timechart Does Not Alw...

by in Splunk Search
‎05-08-2014 01:25 PM
‎05-08-2014 01:25 PM
I have found a similar complaint (http://answers.splunk.com/answers/96869/timechart-yesterday-forced-to-display-full-24-hours) This guy's workaround is a bit better than mine, which is to stick a fillnull just before the timechart. So this index=* earliest=-1d latest=now | head 1 | timechart span=1h count becomes index=* earliest=-1d latest=now | head 1 | fillnull value=NULL | timechart span=1h count ... View more

Re: Min/Max of Time Axis on Timechart Does Not Alw...

by in Splunk Search
‎05-08-2014 01:13 PM
‎05-08-2014 01:13 PM
I am on version 6.0.1 so pretty recent. The fixedrange=T promises to solve my issue, but doesn't deliver To illustrate, the following query still fits the x axis to the data index=* earliest=-1d latest=now | head 1 | timechart fixedrange=T count So I guess this is a Splunk bug then ... View more

Re: Min/Max of Time Axis on Timechart Does Not Alw...

by in Splunk Search
‎05-08-2014 12:24 PM
‎05-08-2014 12:24 PM
@linu1988 I don't have an issue with the allowable number of datapoints on a chart, nor the span. If you run this query: index=* earliest=-1d latest=now | head 1 | timechart count You'll see the x axis does not cover the whole day; it just "fits" to the one datapoint returned ... View more

Re: Min/Max of Time Axis on Timechart Does Not Alw...

by in Splunk Search
‎05-08-2014 05:14 AM
‎05-08-2014 05:14 AM
Can't seem to edit my question to get rid of a formatting gremlin. The queries should have been: index=_audit earliest=-1d latest=now | where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20) | timechart span=5m count ..... and ..... index=_audit earliest=-1d latest=now | where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20) | bucket span=5m _time | stats count BY _time | timechart span=5m avg(count) ... View more

Min/Max of Time Axis on Timechart Does Not Always ...

by in Splunk Search
‎05-08-2014 05:02 AM
4 Karma
‎05-08-2014 05:02 AM
4 Karma
If you perform a query that returns events that do not hit the left or right "edge" of your specified time range, and then timechart these events, the timechart axis starts and ends with the first and last event rather than the earliest/latest clause you specified in your query. I would expect the timechart scale to "honor" the query time range. It is an infuriating problem for those who want multiple timecharts on a dashboard as the scale on the various charts may not tally. To illustrate, here is a rather contrived example you can run yourself The below simulates a query over the last day in which all returned events fell within the middle 12h of that day - i.e. nothing during the first/last 4h index=_audit earliest=-1d latest=now | where _time<(now()-60*60*4) AND _time>(now()-60*60*20) | timechart span=5m count Notice that the timechart's x axis starts and ends with the first/last datapoint - in other words it only shows the "populated" 12h rather than the whole 24h. Now for the inelegant workaround. It appears that timechart suddenly DOES honor your timerange if you put a reporting command BEFORE the timechart, for example index=_audit earliest=-1d latest=now | where _time<(now()-60*60*4) AND _time>(now()-60*60*20) | bucket span=5m _time | stats count BY _time | timechart span=5m avg(count) I currently use this as a workaround, but it is artificial and confusing for maintainers. Anyone know of a more elegant fix? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-05-2021 11:27 AM
Karma from
View All
Karma given to
View All