Splunk Search

Dealing with timechart auto span feature whitout manually specfying span inside the search

SplunkTrust
SplunkTrust

Hi,

I am trying to find the best and reliable solution to get precise graphs using timechart command.

In deed, timechart has an auto span feature depending on how long is the selected timerange, this can off course be manually bypassed inside the search using the argument "span".

But if you do so and if the timerange is very big, then things won't work as expected and the chart won't be able to fit all necessary data

In the other hand, if you let timerange to deal with span, it works good, but it won't let you get enough precise charts in most cases.

I don't want to multiple every search by every timerange i could authorize users to select to make things to work, so i am looking for a better and industrial solution.

As for now, i found 2 ways to successfully get this to work:

Using HiddenSearchSwapper works very good, but the negative point is it will really complicates xml codes and multiples the number of times search lines are hard coded inside xml files...

I have many searches and i need to limit their location (only savedsearches inside *.conf files) and numbers, so same searches must be called for any timerange users could select.

Does anyone knows a better way to modify timechart auto span feature ?

As for an example, a 24h timerange chart will be much be precise using a 10 minutes span (and still this fits the chart) instead of the auto span that will choose timechart (30 minutes)

Thanks in advance for any help ^^

SplunkTrust
SplunkTrust

Hi,

Thanks for you answers.

After intensive tests, i finally decided to adopt the javascript solution from here:
http://pastebin.com/jqDktMhC

and here:
http://www.davidveuve.com/tech/technical-detail-control-bin-selection-and-transparent-index-switchin...

I can't use it within savedsearches but it seems as far as i've tested to be the most reliable solution to get best granular charts without adding too much complexity inside xml codes

Most reliable because whenever my users will choose any timerange, bins or spans will be dynamically adapted to best values

0 Karma

SplunkTrust
SplunkTrust

If you just want higher resolution buckets you could set bins to a higher value than the default 100.

0 Karma

Splunk Employee
Splunk Employee

For the time-being, you can try using the minspan option:

 ... | timechart minspan=1h count

The search swapper module will be more readily available soon, I'll ping you back here with more information in the next month or two.

0 Karma