Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

minspan is overruled when span is set in dashboard

pjscott
New Member
‎09-14-2015 11:51 AM

Version 6.2.3. I have a dashboard that allows the time range and span to be set at the top for all panels. Most panels' data is gathered every minute. One is gathered every 5 minutes. I would like to specify a dashboard span of 2m, but this produces a spiky visualization for the 5 minute panel (every other plot point is zero).

I thought minspan would fix this, but it doesn't. I tried overriding it by setting a variable called this_span to 10m, but I get an error that I can't say "span=this_span".

Here's the search:

index=os sourcetype=interfaces | multikv fields Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex | sort 0 _time | streamstats current=f last(RXbytes) as last_RXbytes last(TXbytes) as last_TXbytes by host | eval delta_rxbytes=RXbytes-last_RXbytes | eval delta_txbytes=TXbytes-last_TXbytes | eval delta_rxbytes=if(delta_rxbytes<0, 0, delta_rxbytes) | eval delta_txbytes=if(delta_txbytes<0, 0, delta_txbytes) |  timechart useother=f minspan=10m avg(delta_rxbytes) AS bytes_rx, avg(delta_txbytes) AS bytes_tx by host_short

Now using the magnifying glass to get the search shows it put 'span=2m' after the minspan setting. And if I run that search, it plots it spiky; if I take the span=2m out, it plots correctly, but I have no way of doing that when it's in the dashboard.

This looks like another form of SPL-59079, only that was fixed some time ago.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2015 12:55 PM

As per the documentation on timechart:

minspan
  Syntax: minspan=<span-length>
  Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.

minspan is only used when inferring span from the time range. If you set span you turn off this inference.
To influence the span from inputs and use minspan you can combine it with bins to tune the inference without turning it off.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/timechart#bins_options

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2015 12:55 PM

As per the documentation on timechart:

minspan
  Syntax: minspan=<span-length>
  Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.

minspan is only used when inferring span from the time range. If you set span you turn off this inference.
To influence the span from inputs and use minspan you can combine it with bins to tune the inference without turning it off.

http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/timechart#bins_options

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2015 03:21 PM

You are setting the span into the search using some $token$, right? That's the same as writing it into the search itself, and causes the minspan to be ignored as per the docs.

Let the user set bins instead of span. Then you're much more flexible with respect to different time ranges being set, and you can use minspan along with bins.
For example, you could have a dropdown with three settings "finest", "fine", "regular" that map to 500, 200, 100 bins.

Reply
Solved! Jump to solution

pjscott
New Member
‎09-14-2015 02:56 PM

Yes, but this search is in a panel on a dashboard that has an input for the span. I'm not putting the span setting into the search directly, it's being picked up from that dashboard input. How do I set the span for the search on this panel to be the greater of 10m or whatever that input is set to?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-14-2015 12:52 PM

To simplify reproduction, the same happens for these searches:

index=_internal | timechart span=10m minspan=30m count
index=_internal | timechart minspan=30m span=10m count
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...