I have a form that charts some data for me. However it's not charting enough data points for the search I specified. Here's the search and chart from the form.
<row> <chart> <title>Average Response Time Per Day</title> <searchTemplate>index=oxrsping sourcetype=OXRSTEST4 hostname=$hostname$ | timechart span=5m avg(domain_check) as domain_check avg(domain_create) as domain_create avg(domain_delete) as domain_delete avg(domain_renew) as domain_renew avg(domain_transf) as domain_transf avg(update_balance) as update_balance avg(user_login) as user_login avg(user_logout) as user_logout avg(registrar_update) as registrar_update avg(registrar_info) as registrar_info</searchTemplate> <option name="charting.chart">line</option> <option name="charting.primaryAxisTitle.text">Date</option> <option name="charting.secondaryAxisTitle.text">Average Response Time</option> </chart> </row>
If I select the time frame of data to chart to say, 30 days, it only charts 5 days worth of data. It's as if it cannot chart that many data points for 30 days. Is there any way to resolve this issue? I'm checking in the forum for others who might have had this issue as well but figured I'd throw this out there as well.
btw i'm using splunk version 4.2.1
Yes, there is a limit to how many data points the charting module will accept. The solution in your case would be to drop the "
span=5m" argument to
timechart so that the amount of datapoints will be automatically chosen to something that is suitable to chart.
Yes, I tried taking the span=5m out as well. Splunk scales the chart based on the time frame. It's not as detailed, but still does the job. I am wondering if there is a way to click on a spike in the chart and then have splunk rechart again based on where I clicked. I'll research this. Thanks for the feedback.