Dashboards & Visualizations

Bind Timechart Span to Timepicker Value

jmglynn
Engager

Hello, I'm a total Splunk novice, so sorry if this is a completely obvious solution.

I have a SingleValue visualization that I'd like to add a trend component to (so I'm switching from `stats count` to `timechart count`. The issue is that I want the discrete events to be aggregated into a single count based on a span consistent with the time picker. The default timechart behavior has all events being counted separately.

Example: Timepicker input is set to last 24 hours. I now want my timechart command to have a span of 24h. This should work dynamically with any timepicker value. 

From what I've researched so far, it looks as though I need to mess around with the source xml, and some tokens, but I'm not sure what exactly to do. I tried to simply set `span = $time_tok$`, but that was not successful. 

Thanks for the help in advance!


Labels (2)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@jmglynn 

If you want a single value viz with trend, then you cannot have the timechart span=X the same as the time picker window, as you will only get 1 (or two depending on the snap to time picker setting) value.

In that case, you cannot get a trend as the trend works by looking at the data points in the timechart.

There are two aspects to showing trend in single value viz - the timechart span and the trend span, of which the trend span must be equal to or larger than the timechart span for it to have an effect.

So, if you have your time picker of 24 hours, what do you want the trend to show? If you want it to show an hourly trend, you cannot set your timechart span= interval to more than one hour.

The single value viz has a setting where you can set the trend range, but the data must exist for it to show it, e.g. in the XML you can see something like this, which in this case represents a custom trend interval.

<option name="trendInterval">-10m</option>

In order to do dynamic span settings, you will have to play with tokens and some post processing of searches - not too hard. Here is an example dashboard that gives you some basics.

I have included the first panel as a visible panel, so you can see the results of the search that is calculating the tokens, but it's effectively running a search to calculate your time picker window then assuming you want 24 timechart intervals, and the trend comparison to be two intervals. Note the trend sparkline shows the trend across all 24 calculated intervals.

Note that with single value viz and trends, the trend may show odd movements, as the last time window may be smaller than the full span window as it's dependent on the "snap to" setting of the time picker.

<form>
  <label>Spans</label>
  <fieldset submitButton="false">
    <input type="time" token="time_range" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <done>
            <set token="tc_span">$result.tc_span$</set>
            <set token="tr_span">$result.tr_span$</set>
          </done>
          <query>| makeresults
      | addinfo
      | eval maxt=if(isnum(info_max_time),info_max_time,now())
      | eval spanLength=maxt-info_min_time
      | eval mins=floor(spanLength/60)
      | eval spanMins=ceil(mins/24)
      | eval trendSpan=spanMins*2
      | eval tc_span=spanMins."m"
      | eval tr_span="-".trendSpan."m"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal
| timechart span=$tc_span$ count</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendInterval">$tr_span$</option>
      </single>
    </panel>
  </row>
</form>

Hopefully this example dashboard, which searches the _internal index to get data, gives you a leg up to tokens and search handling. If you don't have rights to search that index, just change the index=_internal to something you can see it it will work.

If you want to make that panel invisible, then the simplest way is to change the <row> statement to be 

<row depends="$hidden$">

where the "$hidden$" token represents a non existent token, so the panel will never show, but the search still runs.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@jmglynn 

If you want a single value viz with trend, then you cannot have the timechart span=X the same as the time picker window, as you will only get 1 (or two depending on the snap to time picker setting) value.

In that case, you cannot get a trend as the trend works by looking at the data points in the timechart.

There are two aspects to showing trend in single value viz - the timechart span and the trend span, of which the trend span must be equal to or larger than the timechart span for it to have an effect.

So, if you have your time picker of 24 hours, what do you want the trend to show? If you want it to show an hourly trend, you cannot set your timechart span= interval to more than one hour.

The single value viz has a setting where you can set the trend range, but the data must exist for it to show it, e.g. in the XML you can see something like this, which in this case represents a custom trend interval.

<option name="trendInterval">-10m</option>

In order to do dynamic span settings, you will have to play with tokens and some post processing of searches - not too hard. Here is an example dashboard that gives you some basics.

I have included the first panel as a visible panel, so you can see the results of the search that is calculating the tokens, but it's effectively running a search to calculate your time picker window then assuming you want 24 timechart intervals, and the trend comparison to be two intervals. Note the trend sparkline shows the trend across all 24 calculated intervals.

Note that with single value viz and trends, the trend may show odd movements, as the last time window may be smaller than the full span window as it's dependent on the "snap to" setting of the time picker.

<form>
  <label>Spans</label>
  <fieldset submitButton="false">
    <input type="time" token="time_range" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <done>
            <set token="tc_span">$result.tc_span$</set>
            <set token="tr_span">$result.tr_span$</set>
          </done>
          <query>| makeresults
      | addinfo
      | eval maxt=if(isnum(info_max_time),info_max_time,now())
      | eval spanLength=maxt-info_min_time
      | eval mins=floor(spanLength/60)
      | eval spanMins=ceil(mins/24)
      | eval trendSpan=spanMins*2
      | eval tc_span=spanMins."m"
      | eval tr_span="-".trendSpan."m"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal
| timechart span=$tc_span$ count</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendInterval">$tr_span$</option>
      </single>
    </panel>
  </row>
</form>

Hopefully this example dashboard, which searches the _internal index to get data, gives you a leg up to tokens and search handling. If you don't have rights to search that index, just change the index=_internal to something you can see it it will work.

If you want to make that panel invisible, then the simplest way is to change the <row> statement to be 

<row depends="$hidden$">

where the "$hidden$" token represents a non existent token, so the panel will never show, but the search still runs.

 

0 Karma

jmglynn
Engager

Thank you for your detailed explanation. This makes sense to me, and I see now that what I was after was flawed all along. 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...