Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Variable timespan causes data to be counted incorrectly

azeller
New Member
‎03-10-2021 08:14 AM

When we change the time span in a dashboard for this report, the counting of the values changes after 15 hours. The stats values go from a 1 minute span to a 5 minute span. I believe we need a way to use a "Variable" for the time and counting section in bold below.

 

sourcetype=ib:ddns index=ib_dns | rex field=REST "'(?<ZONE>[^ ]+)/IN'" | eval TYPE=if(isnull(TYPEA), case(match(REST, "updating zone '[^ ]+/IN': adding an RR at") OR match(REST, "updating zone '[^ ]+/IN': delet"), "Success", match(REST, "update '[^ ]+/IN' denied"), "Reject", match(REST, "updating zone '[^ ]+/IN': update unsuccessful.*prerequisite not satisfied \([NY]XDOMAIN\)"), "PrerequisiteReject", match(REST, "updating zone '[^ ]+/IN': update failed"), "Failure"), TYPEA) | eval VIEW=if(isnull(VIEW),"_default",replace(VIEW,"view (\d+)","\1")) | lookup dns_viewkey_displayname_lookup VIEW output display_name | bucket span=1m _time | stats count by _time TYPE | timechart bins=1000 eval(avg(count)/60) by TYPE | interpolate 120 | eval Success=if(isnull(Success),0,Success) | eval Failure=if(isnull(Failure),0,Failure) | eval Reject=if(isnull(Reject),0,Reject) | eval PrerequisiteReject=if(isnull(PrerequisiteReject),0,PrerequisiteReject) | rename PrerequisiteReject as "Prerequisite Reject"

Labels (2)
Labels
0 Karma
Reply

tscroggins
Influencer
‎03-14-2021 12:20 PM

@azeller 

If you want timechart to display the count per second irrespective of the bin width timechart calculates internally:

| bucket _time span=1m
| stats count by _time TYPE
| timechart per_second(count) by TYPE

The per_unit functions will sum the field values over the timechart bin and then divide by the number of time units within that bin.

If you want to fix the bin width at one minute:

| bucket _time span=1m
| stats count by _time TYPE
| timechart span=1m per_second(count) by TYPE

However, you will run into chart display limits over large timespans. The chart can display no more x-values  than the width of the chart in pixels.

Note that timechart's bin option is merely a suggestion. Like the bin/bucket command, it will use at most the number of bins you specify but will likely use less.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...