Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Variable timespan causes data to be counted incorr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Variable timespan causes data to be counted incorrectly
When we change the time span in a dashboard for this report, the counting of the values changes after 15 hours. The stats values go from a 1 minute span to a 5 minute span. I believe we need a way to use a "Variable" for the time and counting section in bold below.
sourcetype=ib:ddns index=ib_dns | rex field=REST "'(?<ZONE>[^ ]+)/IN'" | eval TYPE=if(isnull(TYPEA), case(match(REST, "updating zone '[^ ]+/IN': adding an RR at") OR match(REST, "updating zone '[^ ]+/IN': delet"), "Success", match(REST, "update '[^ ]+/IN' denied"), "Reject", match(REST, "updating zone '[^ ]+/IN': update unsuccessful.*prerequisite not satisfied \([NY]XDOMAIN\)"), "PrerequisiteReject", match(REST, "updating zone '[^ ]+/IN': update failed"), "Failure"), TYPEA) | eval VIEW=if(isnull(VIEW),"_default",replace(VIEW,"view (\d+)","\1")) | lookup dns_viewkey_displayname_lookup VIEW output display_name | bucket span=1m _time | stats count by _time TYPE | timechart bins=1000 eval(avg(count)/60) by TYPE | interpolate 120 | eval Success=if(isnull(Success),0,Success) | eval Failure=if(isnull(Failure),0,Failure) | eval Reject=if(isnull(Reject),0,Reject) | eval PrerequisiteReject=if(isnull(PrerequisiteReject),0,PrerequisiteReject) | rename PrerequisiteReject as "Prerequisite Reject"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want timechart to display the count per second irrespective of the bin width timechart calculates internally:
| bucket _time span=1m
| stats count by _time TYPE
| timechart per_second(count) by TYPE
The per_unit functions will sum the field values over the timechart bin and then divide by the number of time units within that bin.
If you want to fix the bin width at one minute:
| bucket _time span=1m
| stats count by _time TYPE
| timechart span=1m per_second(count) by TYPE
However, you will run into chart display limits over large timespans. The chart can display no more x-values than the width of the chart in pixels.
Note that timechart's bin option is merely a suggestion. Like the bin/bucket command, it will use at most the number of bins you specify but will likely use less.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
