Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dealing with timechart auto span feature whitout manually specfying span inside the search

guilmxm
Influencer
‎03-20-2013 02:24 AM

Hi,

I am trying to find the best and reliable solution to get precise graphs using timechart command.

In deed, timechart has an auto span feature depending on how long is the selected timerange, this can off course be manually bypassed inside the search using the argument "span".

But if you do so and if the timerange is very big, then things won't work as expected and the chart won't be able to fit all necessary data

In the other hand, if you let timerange to deal with span, it works good, but it won't let you get enough precise charts in most cases.

I don't want to multiple every search by every timerange i could authorize users to select to make things to work, so i am looking for a better and industrial solution.

As for now, i found 2 ways to successfully get this to work:

Using HiddenSearchSwapper works very good, but the negative point is it will really complicates xml codes and multiples the number of times search lines are hard coded inside xml files...

I have many searches and i need to limit their location (only savedsearches inside *.conf files) and numbers, so same searches must be called for any timerange users could select.

Does anyone knows a better way to modify timechart auto span feature ?

As for an example, a 24h timerange chart will be much be precise using a 10 minutes span (and still this fits the chart) instead of the auto span that will choose timechart (30 minutes)

Thanks in advance for any help ^^

Reply

guilmxm
Influencer
‎03-21-2013 05:14 AM

Hi,

Thanks for you answers.

After intensive tests, i finally decided to adopt the javascript solution from here:
http://pastebin.com/jqDktMhC

and here:
http://www.davidveuve.com/tech/technical-detail-control-bin-selection-and-transparent-index-switchin...

I can't use it within savedsearches but it seems as far as i've tested to be the most reliable solution to get best granular charts without adding too much complexity inside xml codes

Most reliable because whenever my users will choose any timerange, bins or spans will be dynamically adapted to best values

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-20-2013 12:32 PM

If you just want higher resolution buckets you could set bins to a higher value than the default 100.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎03-20-2013 11:27 AM

For the time-being, you can try using the minspan option:

 ... | timechart minspan=1h count

The search swapper module will be more readily available soon, I'll ping you back here with more information in the next month or two.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...