Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart cuts off last time value

A_VA
Explorer
‎10-30-2024 09:01 AM

Afternoon, Splunkers! Timechart is really frothing my coffee today.

When putting in the parameters for a timechart, it always cuts off the latest time value.

For example, if I give it a time window of four hours with a span of 1h, I get a total of four data points:

12:00:00
13:00:00
14:00:00
15:00:00

I didn't ask for four data points, I asked for the data points from 12:00 to 16:00. And in this particular example, no, 16:00 isn't a time that hasn't arrived yet or only has partial data; it does this with any time range I pick, at any span setting.

Now, I can work around this by programming the dashboard to add 1 second to the <latest> time for the time range. Not that huge of a deal.

However, I'm left with a large void on the right-hand side of the time range. Is there anyway I can fix this, either by forcing the timechart to show me the whole range or by hiding the empty range?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2024 10:29 AM

Essentially, it is a matter of interpretation of the chart - it could be argued that the "space" between 15:00 and 16:00 represents the events in this time (hence the space in the chart graphic). You could use a column chart to show the space "occupied" with a graphic.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2024 10:08 AM

The time range 12:00 to 16:00 is for timestamps greater than or equal to 12:00 and less than 16:00 i.e. you don't get times beginning 16:00, so you are getting what you asked for. When timestamps are binned by the timechart command, all timestamps are taken back to the beginning time slot they are binned in.

What would you expect to be in the 16:00 data point (as your earliest and latest values have not included any events beyond 16:00)?

0 Karma
Reply
Solved! Jump to solution

A_VA
Explorer
‎10-30-2024 10:14 AM

Well, the chart takes up the space needed for data points from 12:00 to 16:00, but since there isn't any data in the 16:00 bin the graphic stops at 15:00 and leaves a void where 15:00 to 16:00 would normally be (if you cut a chunk of time out of a larger graph, that is). That space is 1/4th of the time chart panel with a four-hour window. It's a third with a three-hour window.

Is there any way to eliminate that void and stretch the chart across to fill the space?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-30-2024 10:29 AM

Essentially, it is a matter of interpretation of the chart - it could be argued that the "space" between 15:00 and 16:00 represents the events in this time (hence the space in the chart graphic). You could use a column chart to show the space "occupied" with a graphic.

Reply
Solved! Jump to solution

A_VA
Explorer
‎10-30-2024 10:53 AM

You know? You're right, I hadn't looked at it that way. Still don't like it.

 

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...