Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

FlashTimeline - how many time bars can be displayed?

Jason
Motivator
‎11-24-2011 09:57 PM

I have noticed that when doing a search in the default Search view, flashtimeline, the green time bars will be a useful small amount of time - up to a certain point. Then the time per bar will round up and the bars will be very wide and not useful.

What is the number of x-axis datapoints that can be displayed on the flashtimeline's histogram, and can this be changed?

Searches over a week could easily show 7 days x 1hr or 4hr increments on a screen as wide as mine, but instead show only 1 day increments.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-26-2011 09:00 AM

You cant control the bucket size of the FlashTimeline directly, but you can set a ceiling on how many buckets it's allowed to use. It takes a param called statusBuckets, and the docs list the default as 300 ( http://<host:port>/en-US/modules#Splunk.Module.FlashTimeline ). You can set this to any positive integer you like, but be careful going past about a thousand. The module refreshes itself every few seconds while a search is in progress so if it's a huge dataset you're asking it to pull down from the server every time, high numbers will slow things down a lot.

By the way, this may remind you of the bins=X / span=Y arguments that the timechart has. However the comparison only goes so far. The logic in the timechart is more sophisticated, in that it will display bucket sizes like 15minutes or 4hours, or 12 hours. The FlashTimeline module on the other hand always renders with one bar equal to one second, minute, hour, day, month or year.

Also, strictly speaking statusBuckets is not just a param for FlashTimeline. It's actually one of the arguments that you can send when you dispatch a search, and the effect is to set Splunk's granularity for preserving summary information throughout the lifetime of the job. Setting FlashTimeline's param thus effects the entire job, not just FlashTimeline's requests. Strangely though, there's no documentation about statusbuckets, nor about it's often-related POST arg, requiredFieldList. http://docs.splunk.com/Documentation/Splunk/4.2.4/RESTAPI/RESTsearch#POST_search.2Fjobs I could have sworn there used to be a mention of it in the old REST docs, but maybe the docs were removed.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎11-26-2011 09:00 AM

You cant control the bucket size of the FlashTimeline directly, but you can set a ceiling on how many buckets it's allowed to use. It takes a param called statusBuckets, and the docs list the default as 300 ( http://<host:port>/en-US/modules#Splunk.Module.FlashTimeline ). You can set this to any positive integer you like, but be careful going past about a thousand. The module refreshes itself every few seconds while a search is in progress so if it's a huge dataset you're asking it to pull down from the server every time, high numbers will slow things down a lot.

By the way, this may remind you of the bins=X / span=Y arguments that the timechart has. However the comparison only goes so far. The logic in the timechart is more sophisticated, in that it will display bucket sizes like 15minutes or 4hours, or 12 hours. The FlashTimeline module on the other hand always renders with one bar equal to one second, minute, hour, day, month or year.

Also, strictly speaking statusBuckets is not just a param for FlashTimeline. It's actually one of the arguments that you can send when you dispatch a search, and the effect is to set Splunk's granularity for preserving summary information throughout the lifetime of the job. Setting FlashTimeline's param thus effects the entire job, not just FlashTimeline's requests. Strangely though, there's no documentation about statusbuckets, nor about it's often-related POST arg, requiredFieldList. http://docs.splunk.com/Documentation/Splunk/4.2.4/RESTAPI/RESTsearch#POST_search.2Fjobs I could have sworn there used to be a mention of it in the old REST docs, but maybe the docs were removed.

Reply
Solved! Jump to solution

Jason
Motivator
‎11-28-2011 07:06 PM

Thanks. I think the confusion arises when you run a search, the search bumps up to the next summary granularity, then the search realizes it has hit the end of the results (or is finalized) and then shrinks back to the events available, sometimes showing only a few time bars.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...