Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Variable timespan causes data to be counted incorrectly

azeller
New Member
‎03-10-2021 08:14 AM

When we change the time span in a dashboard for this report, the counting of the values changes after 15 hours. The stats values go from a 1 minute span to a 5 minute span. I believe we need a way to use a "Variable" for the time and counting section in bold below.

 

sourcetype=ib:ddns index=ib_dns | rex field=REST "'(?<ZONE>[^ ]+)/IN'" | eval TYPE=if(isnull(TYPEA), case(match(REST, "updating zone '[^ ]+/IN': adding an RR at") OR match(REST, "updating zone '[^ ]+/IN': delet"), "Success", match(REST, "update '[^ ]+/IN' denied"), "Reject", match(REST, "updating zone '[^ ]+/IN': update unsuccessful.*prerequisite not satisfied \([NY]XDOMAIN\)"), "PrerequisiteReject", match(REST, "updating zone '[^ ]+/IN': update failed"), "Failure"), TYPEA) | eval VIEW=if(isnull(VIEW),"_default",replace(VIEW,"view (\d+)","\1")) | lookup dns_viewkey_displayname_lookup VIEW output display_name | bucket span=1m _time | stats count by _time TYPE | timechart bins=1000 eval(avg(count)/60) by TYPE | interpolate 120 | eval Success=if(isnull(Success),0,Success) | eval Failure=if(isnull(Failure),0,Failure) | eval Reject=if(isnull(Reject),0,Reject) | eval PrerequisiteReject=if(isnull(PrerequisiteReject),0,PrerequisiteReject) | rename PrerequisiteReject as "Prerequisite Reject"

Labels (2)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-14-2021 12:20 PM

@azeller 

If you want timechart to display the count per second irrespective of the bin width timechart calculates internally:

| bucket _time span=1m
| stats count by _time TYPE
| timechart per_second(count) by TYPE

The per_unit functions will sum the field values over the timechart bin and then divide by the number of time units within that bin.

If you want to fix the bin width at one minute:

| bucket _time span=1m
| stats count by _time TYPE
| timechart span=1m per_second(count) by TYPE

However, you will run into chart display limits over large timespans. The chart can display no more x-values  than the width of the chart in pixels.

Note that timechart's bin option is merely a suggestion. Like the bin/bucket command, it will use at most the number of bins you specify but will likely use less.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...