topic Re: Native Chart Format Limitations in Splunk Search

Native Chart Format Limitations

himynamesdave — Sat, 23 Nov 2013 22:20:37 GMT

I'm trying to build a timechart (line graph) over 13 years using a 12 month span.

My search to generate the visualisation looks like this:

sourcetype="ec_com_donations_CSV"| bin _time span=12mon| timechart sum(Value) by Entity_name useother=f limit=6

And produces a line graph (-line) the looks like this:

If I choose a span <= to 1mon the visualisation shows an adjoining line between points, as intended. However, anything > 1mon, like my search above, the lines disappear.

Why is this? I know this can probably be resolved through XML, but can it be done natively in Splunk (am I missing something obvious!)?

Re: Native Chart Format Limitations

lguinn2 — Sun, 24 Nov 2013 04:30:08 GMT

Check your format options on the line graph. One choice is between the options "Gap", "Treat as Zero", and "Trend". Try different options and see if you get what you want.

Perhaps a better option is to run the search this way:

sourcetype="ec_com_donations_CSV" 
| timechart sum(Value) by Entity_name useother=f limit=6 span=12mon

In your original search, you used the bin command to group the data, but timechart didn't know about the grouping and therefore saw the data as disjoint points. In this version, timechart itself is doing the grouping and therefore should preserve the lines.

Re: Native Chart Format Limitations

himynamesdave — Tue, 26 Nov 2013 14:52:17 GMT

Thanks for your help.

I managed to solve it by selecting - Format > General > Null Values > Join - using my original search command.

I'm interested to know more about why the "span" command in the search you suggested does not work (this was the search I tried first for this viz). Using "span=12mon" does not group the data into 12 month buckets (it remains in 1 month intervals) - which is why I experimented with the "bin" command.

Re: Native Chart Format Limitations

lguinn2 — Tue, 26 Nov 2013 15:24:50 GMT

Wow - that's weird. I did actually know that Splunk sees the span option of timechart as somewhat advisory in nature. But I have never seen timechart refuse to create larger time buckets, only smaller ones. (For example, timechart can't show 30 days of data in seconds.) And in recent versions, I have seen Splunk issue a message rather than simply ignoring the option.