Splunk Search

How do I edit my timechart search to get the expected visualization?

carrotball
New Member

Hi all,

First off, some details. I have a script job running every 60 seconds to poll the processes in the servers and I'm trying to do a trending graph of the CPU% usage.

The ok.png is what I would like to see, but I'm getting the one in the problem.png. However, when I change the timeline from "last 4 hours" to something else, the graphs changes.

I understand that the problem is with my search, but what is the proper stats function to use?

ok

problem

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Your both searches are differ by the window you select, otherwise both of your results are same. In the first search , you have selected to view sum by an interval of 1m whereas in the second one you haven't selected any time span and hence splunk has assigned it's default value for four hours. If you don't mention the time span, splunk selects appropriate span based on the time range you select.

So it's up to you how you want to see the result, ie; if you want to see them in an interval of 1m or 10m or 1 hr and so on. Based on that you set the time span.

Happy Splunking!

View solution in original post

0 Karma

chimell
Motivator

Hi carrotball

These two search codes are the same the difference is between the time range which is difference. Note that the visualisation change with the time range.

0 Karma

jsburt
New Member

Can you share the script you run? Sounds like this would be very useful to have in place.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Your both searches are differ by the window you select, otherwise both of your results are same. In the first search , you have selected to view sum by an interval of 1m whereas in the second one you haven't selected any time span and hence splunk has assigned it's default value for four hours. If you don't mention the time span, splunk selects appropriate span based on the time range you select.

So it's up to you how you want to see the result, ie; if you want to see them in an interval of 1m or 10m or 1 hr and so on. Based on that you set the time span.

Happy Splunking!
0 Karma

carrotball
New Member

I'm getting, " These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

Will changing the limits for that will affect splunk or the memory of the pc used to view the graph, whether it will consume more CPU/MEM etc.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

If you don't want the sum per minute always, the it's better to leave to splunk to automatically set the value for you. That's the easiest. If not set a token and set the span based on the time range or workaround like below and set appropriate range and values

 timechart sum .. [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=".case(range < 4000, "5m", range < 90000, "1h", 1=1, "12h") | return $span]
Happy Splunking!

carrotball
New Member

Thanks for the help!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

You are welcome. Please mark as 'answer' if you are satisfied to close the thread

Happy Splunking!
0 Karma

carrotball
New Member

i see. i had to put span=1m in one to force it to produce the results i want. i thought it might just be the maths i was using is wrong(sum). so theres no way to use a single function which can produce the same output regardless of the time span i chose?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Since you want the aggregation on time basis, and also ion fxied time of 1m, it's the same command you have to use. ie

|timechart span=1m sum ...

There are other ways also (|bucket span=1m|stats sum(...) by _time) but above is the better option.

Happy Splunking!
0 Karma

stephanefotso
Motivator

Hello! Did you nottice that your both search queries are different? ok.png is using the span=1m, but problem.png is not using it

SGF
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...