Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Charting large amount of data points

gnovak
Builder
‎01-30-2012 02:29 PM

I have a form that charts some data for me. However it's not charting enough data points for the search I specified. Here's the search and chart from the form.

<row>
<chart>
          <title>Average Response Time Per Day</title>
          <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | timechart span=5m avg(domain_check) as domain_check avg(domain_create) as domain_create avg(domain_delete) as domain_delete avg(domain_renew) as domain_renew avg(domain_transf) as domain_transf avg(update_balance) as update_balance avg(user_login) as user_login avg(user_logout) as user_logout avg(registrar_update) as registrar_update avg(registrar_info) as registrar_info</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.primaryAxisTitle.text">Date</option>
          <option name="charting.secondaryAxisTitle.text">Average Response Time</option>
      </chart>
</row>

If I select the time frame of data to chart to say, 30 days, it only charts 5 days worth of data. It's as if it cannot chart that many data points for 30 days. Is there any way to resolve this issue? I'm checking in the forum for others who might have had this issue as well but figured I'd throw this out there as well.

btw i'm using splunk version 4.2.1

Tags (2)
0 Karma
Reply

Ayn
Legend
‎01-30-2012 10:22 PM

Yes, there is a limit to how many data points the charting module will accept. The solution in your case would be to drop the "span=5m" argument to timechart so that the amount of datapoints will be automatically chosen to something that is suitable to chart.

0 Karma
Reply

gnovak
Builder
‎01-31-2012 11:30 AM

Yes, I tried taking the span=5m out as well. Splunk scales the chart based on the time frame. It's not as detailed, but still does the job. I am wondering if there is a way to click on a spike in the chart and then have splunk rechart again based on where I clicked. I'll research this. Thanks for the feedback.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...