https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472879#M45766 <P>index="123Prod" source="/var/ABC/CDE/trace.log" StartAuthenticationSession <BR /> | rex field=_raw "traceId=\"(?[^:]+)" <BR /> | rename _time as InTime <BR /> | stats min(InTime) as InTime by TraceID <BR /> | table InTime TraceID | sort InTime limit=5000<BR /> | join TraceID<BR /> [ search index="123Prod" source="/var/ABC/CDE/trace.log" responseType=AuthenticationSucceeded sessionCompleted<BR /> | rex field=_raw "traceId=\"(?[^:]+)"<BR /> | table _time, TraceID<BR /> | rename _time as OutTime<BR /> | table OutTime , TraceID]<BR /> | table TraceID InTime OutTime</P> Wed, 30 Sep 2020 02:05:08 GMT Anantha123 2020-09-30T02:05:08Z https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472877#M45764 <P>Hi, </P> <P>I am running a query to show in scatter chart with name-field, X-axis and Y-axis . This Query throws over 15000 results for past 24 hrs . Since the limit of scatter chart is 10000 , I gave limit=5000 to try . When I am running the query for 60 mins ,I get the scatter chart as expected . But when I run same query for 24 hrs ( the record may be high but I have the limit added in query ) , It is breaking the search by saying "script long running - stop script" . Please advice </P> Thu, 05 Sep 2019 15:55:42 GMT https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472877#M45764 Anantha123 2019-09-05T15:55:42Z https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472878#M45765 <P>Sounds like your search needs to be tuned. If you post the code, we can suggest ways to make it run more effectively.</P> Thu, 05 Sep 2019 17:42:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472878#M45765 DalJeanis 2019-09-05T17:42:08Z https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472879#M45766 <P>index="123Prod" source="/var/ABC/CDE/trace.log" StartAuthenticationSession <BR /> | rex field=_raw "traceId=\"(?[^:]+)" <BR /> | rename _time as InTime <BR /> | stats min(InTime) as InTime by TraceID <BR /> | table InTime TraceID | sort InTime limit=5000<BR /> | join TraceID<BR /> [ search index="123Prod" source="/var/ABC/CDE/trace.log" responseType=AuthenticationSucceeded sessionCompleted<BR /> | rex field=_raw "traceId=\"(?[^:]+)"<BR /> | table _time, TraceID<BR /> | rename _time as OutTime<BR /> | table OutTime , TraceID]<BR /> | table TraceID InTime OutTime</P> Wed, 30 Sep 2020 02:05:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472879#M45766 Anantha123 2020-09-30T02:05:08Z https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472880#M45767 <P>Okay, here's the way to connect all the dots at one time more efficiently. This method is called the "Splunk Stew" method, and uses <CODE>stats</CODE> to join on the key instead of <CODE>join</CODE>.</P> <PRE><CODE>index="123Prod" source="/var/ABC/CDE/trace.log" (StartAuthenticationSession) OR (responseType=AuthenticationSucceeded sessionCompleted) | rex field=_raw "traceId=\"(?[^:]+)" | eval OutTime=case(responseType="AuthenticationSucceeded",_time) | eval InTime=case(isnull(OutTime),_time) | stats min(InTime) as InTime max(OutTime) as OutTime by TraceID </CODE></PRE> <P>Then, given those results, you can cull them to only 5K with </P> <PRE><CODE>| sort 5000 InTime </CODE></PRE> <P>See how that works for you.</P> <HR /> <P>The "Splunk Stew" method is more fully described here - <A href="https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html">https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html</A></P> Fri, 06 Sep 2019 21:02:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/scatter-chart-is-not-working/m-p/472880#M45767 DalJeanis 2019-09-06T21:02:37Z