Dashboards & Visualizations

Variable timespan causes data to be counted incorrectly

azeller
New Member

When we change the time span in a dashboard for this report, the counting of the values changes after 15 hours. The stats values go from a 1 minute span to a 5 minute span. I believe we need a way to use a "Variable" for the time and counting section in bold below.

 

sourcetype=ib:ddns index=ib_dns | rex field=REST "'(?<ZONE>[^ ]+)/IN'" | eval TYPE=if(isnull(TYPEA), case(match(REST, "updating zone '[^ ]+/IN': adding an RR at") OR match(REST, "updating zone '[^ ]+/IN': delet"), "Success", match(REST, "update '[^ ]+/IN' denied"), "Reject", match(REST, "updating zone '[^ ]+/IN': update unsuccessful.*prerequisite not satisfied \([NY]XDOMAIN\)"), "PrerequisiteReject", match(REST, "updating zone '[^ ]+/IN': update failed"), "Failure"), TYPEA) | eval VIEW=if(isnull(VIEW),"_default",replace(VIEW,"view (\d+)","\1")) | lookup dns_viewkey_displayname_lookup VIEW output display_name | bucket span=1m _time | stats count by _time TYPE | timechart bins=1000 eval(avg(count)/60) by TYPE | interpolate 120 | eval Success=if(isnull(Success),0,Success) | eval Failure=if(isnull(Failure),0,Failure) | eval Reject=if(isnull(Reject),0,Reject) | eval PrerequisiteReject=if(isnull(PrerequisiteReject),0,PrerequisiteReject) | rename PrerequisiteReject as "Prerequisite Reject"

Labels (2)
0 Karma

tscroggins
Influencer

@azeller 

If you want timechart to display the count per second irrespective of the bin width timechart calculates internally:

| bucket _time span=1m
| stats count by _time TYPE
| timechart per_second(count) by TYPE

The per_unit functions will sum the field values over the timechart bin and then divide by the number of time units within that bin.

If you want to fix the bin width at one minute:

| bucket _time span=1m
| stats count by _time TYPE
| timechart span=1m per_second(count) by TYPE

However, you will run into chart display limits over large timespans. The chart can display no more x-values  than the width of the chart in pixels.

Note that timechart's bin option is merely a suggestion. Like the bin/bucket command, it will use at most the number of bins you specify but will likely use less.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...