Hello,
I have implemented a dashboard in Splunk Enterprise that uses a time chart (among other things) that graphs network Jitter Values that I have pulled from syslog files. The purpose of this graph is to graph "Historic real time jitter values". The user will enter in a time range and the Jitter values in that time range are graphed over time. I must have a span of 1s on the time chart so we can see every single data point (events can happen at any second ) and the x-axis should be continuous so we see what is happening in "real-time". I understand that this will produce a lot of pointless data and the truncation limit of the browser will have to be overridden (depending on how many data points I need to graph)
I am somewhat new to Splunk and I am able to get the correct graph for certain cases. The problem occurs when I set my time range for my search too long.
Here is my search so far:
<search id="baseSearch">
sourcetype=syslog AND
(jitter OR CC:) |
rex field=_raw "source=.(?P<Multicast_Address>\d*.\d*.\d*.\d*)" |
search Multicast_Address=$multicast_address_token$ |
rex field=_raw "[Jj]itter\s+\((?P<Jitter>\d+)" |
rex field=_raw "^(?:[^\(\n]*\(){3}(?P<dropped_packets>\d+)" |
search Jitter >=$jitter_start_token$ OR dropped_packets>=1 |
fillnull value=- |
rex field=_raw "^\w+\s+\d+\s+(?P<UTC_Time>[^ ]+)(?:[^ \n]* ){3}(?P<UTC_Date>\d+\-\d+\- \d+)" |
rename name AS "Stream Name", host AS "Device IP" , UTC_Time AS "UTC Time", UTC_Date AS "UTC Date", dropped_packets AS "Dropped/Lost Packets" |</query>
<earliest>$global_time_token.earliest$</earliest>
<latest>$global_time_token.latest$</latest>
</search>
....
.....
<input type="text" searchWhenChanged="true" token="trunication_token">
<label>trunication limit</label>
<default>20000</default>
</input>
<chart>
<search base="baseSearch">
<query>timechart fixedrange=f cont=t span=1s limit=0 list(Jitter) by Multicast_Address</query>
</search>
<option name="charting.chart.showMarkers">true</option>
<option name="charting.data.count">0</option>
<option name="charting.chart">line</option>
<option name="charting.axisY2.enabled">undefined</option>
<option name="charting.drilldown">all</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.axisTitleX.text">UTC Time</option>
<option name="charting.axisTitleY.text">Jitter (ms)</option>
<option name="charting.chart.resultTruncationLimit">$trunication_token$</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
Once the search time range is too long, the data no longer becomes continuous and will graph only the points with data, and not fill in the values with zero. I have set my charting.chart.resultTruncationLimit option with a token so I know that it is not the problem. I am thinking it must be some sort of data limit, or time limit, but I am not sure.
Again I am new to Splunk, so if the way I have gone about this timechart all wrong or this search is not ideal, please let me know too!
Any help would be great!!!
-Thanks
... View more