- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- scatter chart is not working.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scatter chart is not working.
Hi,
I am running a query to show in scatter chart with name-field, X-axis and Y-axis . This Query throws over 15000 results for past 24 hrs . Since the limit of scatter chart is 10000 , I gave limit=5000 to try . When I am running the query for 60 mins ,I get the scatter chart as expected . But when I run same query for 24 hrs ( the record may be high but I have the limit added in query ) , It is breaking the search by saying "script long running - stop script" . Please advice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, here's the way to connect all the dots at one time more efficiently. This method is called the "Splunk Stew" method, and uses stats to join on the key instead of join.
index="123Prod" source="/var/ABC/CDE/trace.log"
(StartAuthenticationSession) OR
(responseType=AuthenticationSucceeded sessionCompleted)
| rex field=_raw "traceId=\"(?[^:]+)"
| eval OutTime=case(responseType="AuthenticationSucceeded",_time)
| eval InTime=case(isnull(OutTime),_time)
| stats min(InTime) as InTime max(OutTime) as OutTime by TraceID
Then, given those results, you can cull them to only 5K with
| sort 5000 InTime
See how that works for you.
The "Splunk Stew" method is more fully described here - https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like your search needs to be tuned. If you post the code, we can suggest ways to make it run more effectively.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="123Prod" source="/var/ABC/CDE/trace.log" StartAuthenticationSession
| rex field=_raw "traceId=\"(?[^:]+)"
| rename _time as InTime
| stats min(InTime) as InTime by TraceID
| table InTime TraceID | sort InTime limit=5000
| join TraceID
[ search index="123Prod" source="/var/ABC/CDE/trace.log" responseType=AuthenticationSucceeded sessionCompleted
| rex field=_raw "traceId=\"(?[^:]+)"
| table _time, TraceID
| rename _time as OutTime
| table OutTime , TraceID]
| table TraceID InTime OutTime
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
