Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Charting large amount of data points

gnovak
Builder
‎01-30-2012 02:29 PM

I have a form that charts some data for me. However it's not charting enough data points for the search I specified. Here's the search and chart from the form.

<row>
<chart>
          <title>Average Response Time Per Day</title>
          <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | timechart span=5m avg(domain_check) as domain_check avg(domain_create) as domain_create avg(domain_delete) as domain_delete avg(domain_renew) as domain_renew avg(domain_transf) as domain_transf avg(update_balance) as update_balance avg(user_login) as user_login avg(user_logout) as user_logout avg(registrar_update) as registrar_update avg(registrar_info) as registrar_info</searchTemplate>
          <option name="charting.chart">line</option>
          <option name="charting.primaryAxisTitle.text">Date</option>
          <option name="charting.secondaryAxisTitle.text">Average Response Time</option>
      </chart>
</row>

If I select the time frame of data to chart to say, 30 days, it only charts 5 days worth of data. It's as if it cannot chart that many data points for 30 days. Is there any way to resolve this issue? I'm checking in the forum for others who might have had this issue as well but figured I'd throw this out there as well.

btw i'm using splunk version 4.2.1

Tags (2)
0 Karma
Reply

Ayn
Legend
‎01-30-2012 10:22 PM

Yes, there is a limit to how many data points the charting module will accept. The solution in your case would be to drop the "span=5m" argument to timechart so that the amount of datapoints will be automatically chosen to something that is suitable to chart.

0 Karma
Reply

gnovak
Builder
‎01-31-2012 11:30 AM

Yes, I tried taking the span=5m out as well. Splunk scales the chart based on the time frame. It's not as detailed, but still does the job. I am wondering if there is a way to click on a spike in the chart and then have splunk rechart again based on where I clicked. I'll research this. Thanks for the feedback.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...