https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314849#M94238 <P>Charts have limits on how many points they can show, that's why it advisable to use an aggregation command to reduce the number of points plotted (see this for limits: <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/ChartDisplayissues#Searches_with_non-transforming_commands">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/ChartDisplayissues#Searches_with_non-transforming_commands</A>). You may be able to avoid using aggregation command and using just simple table command to show all points. How many events you've with our base search ?</P> Thu, 31 Aug 2017 19:04:05 GMT somesoni2 2017-08-31T19:04:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314846#M94235 <P>I have a splunk query of the following:</P> <PRE><CODE>&lt;searc&gt; | timechart avg(cache_size) by host_instance </CODE></PRE> <P>That will give me the average cache size per day. However I want to use the time metric for the log to visualize how much of each "host_instance" cache is being used at a certain time. Ideally I would l like to look at this chart and see how much cache was used by instance "a" (and all other instances) at a certain time. </P> Thu, 31 Aug 2017 18:09:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314846#M94235 gb0143 2017-08-31T18:09:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314847#M94236 <P>would <CODE>values(cache_size)</CODE> or <CODE>list(cache_size)</CODE> be what you are looking for? or perhaps <CODE>|bucket _time span=1d |table _time host_instance cache_size</CODE> but bucket by 1d, 1h, etc., depending on what you need</P> <P>otherwise, if you could more clearly define the expected output, that would be very helpful</P> Thu, 31 Aug 2017 18:43:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314847#M94236 cmerriman 2017-08-31T18:43:56Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314848#M94237 <P>Also, if you could maybe mock up what that shows that isn't what you need, and what you'd like instead?</P> Thu, 31 Aug 2017 18:49:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314848#M94237 Richfez 2017-08-31T18:49:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314849#M94238 <P>Charts have limits on how many points they can show, that's why it advisable to use an aggregation command to reduce the number of points plotted (see this for limits: <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/ChartDisplayissues#Searches_with_non-transforming_commands">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/ChartDisplayissues#Searches_with_non-transforming_commands</A>). You may be able to avoid using aggregation command and using just simple table command to show all points. How many events you've with our base search ?</P> Thu, 31 Aug 2017 19:04:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314849#M94238 somesoni2 2017-08-31T19:04:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314850#M94239 <P>Adjust the timespan. <CODE>1h</CODE>, <CODE>30m</CODE>, <CODE>15m</CODE> should be viable ...</P> <PRE><CODE> your search | timechart span=1h avg(cache_size) by host_instance </CODE></PRE> Thu, 31 Aug 2017 19:52:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-timechart-with-actual-values-instead-of-some/m-p/314850#M94239 DalJeanis 2017-08-31T19:52:03Z