I am using a heatmap to represent my timechart and i have a time range picker to determine the time range of the heatmap visualization
... |timechart span=1h count by class_desc
span=1h is deal for me if a preset value of "Last 7 days" or lower is picked.
But data beyond 2 weeks will not be displayed if i were to pick the preset value of "Last 30 days".
For "Last 30 days", span=1d would be ideal
Thus I am looking to compare the time range picker token ($time_token$) of the time range:
if $time_token$ <= "Last 7 Days" then span=1h
p.s. i've tried the bins method and it isn't what i am looking for (https://answers.splunk.com/answers/44213/how-can-i-change-the-span-in-timechart-when-the-timerangepi...)
@esmonder, questions on similar lines have been answered before. Following is one of the ways to do this:
Step 1: Add a dummy search with your earliest and latest time input tokens (where time picker input token name is
<search> <query>| makeresults </query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> <progress> <eval token="tokSpan">case(strptime($job.latestTime$,"%Y/%m/%d %H:%M:%S")-strptime($job.earliestTime$,"%Y/%m/%d %H:%M:%S")>604800,"1d",true(),"1h")</eval> </progress> </search>
progress search event handler is used to set the
timeSpan token using
eval tag. If the difference between earliest and latest time is greater than 604800 i.e. 72460*60 seconds (7 days), then
tokSpan is set to
1d, else it is set to
Step 2: Use
tokSpan in the timechart command for Calendar Heatmap custom visualization
... |timechart span=$tokSpan$ count by class_desc
Hey @esmonder, if @niketnilay solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!