Dashboards & Visualizations

Graph sizing

TheOnlyOne
Observer

Hello,
we get Data from a Windows Server, i have change the interval from every 1minute to 10 minutes.
Thats enough to get valid informations.

Now we have a Problem with the graph, there are some gaps in it.
At the moment the X Xis is set to minutes.

is it possible to fill out the gaps?

alt text

Tags (1)
0 Karma

TheOnlyOne
Observer

Hi Frank,
this is the search: index="xd" SessionState="Active"
Is very simple, i will get the active Session in CITRIX. I have installed the CITRIX 7 Template in Splunk.
I have modifyed the interval on the Splunk Forwarder to get every 10 Minutes the active Sessions.

0 Karma

FrankVl
Ultra Champion

Can you share the search that generates this graph? You may need to tweak the span setting on the timechart command, to match the frequency at which the data comes in.

0 Karma

TheOnlyOne
Observer

Hi Frank,
this is my search: index="xd" SessionState="Active"
I will get the Active Sessions in CITRIX. I have installed the CITRIX 7 Template.
The Splunk Forwarder send every 10 Minutes new logs.

0 Karma

FrankVl
Ultra Champion

Just that search alone will not get you that graph. Don't you have a timechart in there somewhere?

0 Karma

TheOnlyOne
Observer

Maybe this help you:

  <title>XenApp Active Sessions</title>
  <chart>
    <search>
      <query>| pivot XenAppSessions RootObject count(RootObject) AS Sessions SPLITROW _time AS _time PERIOD minute SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER 1</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">none</option>
    <option name="charting.axisY.maximumNumber">80</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">none</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">area</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">connect</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.chart.overlayFields">AvgOverall</option>
    <option name="charting.drilldown">none</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">right</option>
    <option name="charting.lineWidth">2</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">large</option>
  </chart>
</panel>
0 Karma

FrankVl
Ultra Champion

Guess it is because of the PERIOD minute part. So the results get bucketed per minute, since you only have data once every 10 minutes, you have empty buckets, resulting in those gaps in the graph.

Changing it to PERIOD hour probably gets rid of the gaps, but then you'll loose some detail I think (not very familiar with pivot).

0 Karma

TheOnlyOne
Observer

It is a bit strange, when i set to PERIOD minute, i get the correct Session number. When i change to PERIOD hour, i get strange numbers. Normal Numbers are arround 200 with PERIOD minute, with PERIOD hour i get 800 or more.

0 Karma

FrankVl
Ultra Champion

I guess that is because 1h contains multiple imports and it does a count. So you probably get the sum of the sessioncounts from the various inputs?

Not sure if there is any way to make this work properly when your import frequency does not align with the pivot PERIOD. Maybe someone with more pivot experience can say something on that.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Does the visualization connect help?

<option name="charting.chart.nullValueMode">connect</option>

Happy Splunking!
0 Karma

TheOnlyOne
Observer

Ok i have found the option to display the source. The connect option dosent help

0 Karma

TheOnlyOne
Observer

Where can i insert this Option? in the search directly=?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...