Splunk Search

How do I edit my timechart search to get the expected visualization?

carrotball
New Member

Hi all,

First off, some details. I have a script job running every 60 seconds to poll the processes in the servers and I'm trying to do a trending graph of the CPU% usage.

The ok.png is what I would like to see, but I'm getting the one in the problem.png. However, when I change the timeline from "last 4 hours" to something else, the graphs changes.

I understand that the problem is with my search, but what is the proper stats function to use?

ok

problem

0 Karma
1 Solution

renjith_nair
Legend

Your both searches are differ by the window you select, otherwise both of your results are same. In the first search , you have selected to view sum by an interval of 1m whereas in the second one you haven't selected any time span and hence splunk has assigned it's default value for four hours. If you don't mention the time span, splunk selects appropriate span based on the time range you select.

So it's up to you how you want to see the result, ie; if you want to see them in an interval of 1m or 10m or 1 hr and so on. Based on that you set the time span.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

chimell
Motivator

Hi carrotball

These two search codes are the same the difference is between the time range which is difference. Note that the visualisation change with the time range.

0 Karma

jsburt
New Member

Can you share the script you run? Sounds like this would be very useful to have in place.

0 Karma

renjith_nair
Legend

Your both searches are differ by the window you select, otherwise both of your results are same. In the first search , you have selected to view sum by an interval of 1m whereas in the second one you haven't selected any time span and hence splunk has assigned it's default value for four hours. If you don't mention the time span, splunk selects appropriate span based on the time range you select.

So it's up to you how you want to see the result, ie; if you want to see them in an interval of 1m or 10m or 1 hr and so on. Based on that you set the time span.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

carrotball
New Member

I'm getting, " These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached."

Will changing the limits for that will affect splunk or the memory of the pc used to view the graph, whether it will consume more CPU/MEM etc.

0 Karma

renjith_nair
Legend

If you don't want the sum per minute always, the it's better to leave to splunk to automatically set the value for you. That's the easiest. If not set a token and set the span based on the time range or workaround like below and set appropriate range and values

 timechart sum .. [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=".case(range < 4000, "5m", range < 90000, "1h", 1=1, "12h") | return $span]
---
What goes around comes around. If it helps, hit it with Karma 🙂

carrotball
New Member

Thanks for the help!

0 Karma

renjith_nair
Legend

You are welcome. Please mark as 'answer' if you are satisfied to close the thread

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

carrotball
New Member

i see. i had to put span=1m in one to force it to produce the results i want. i thought it might just be the maths i was using is wrong(sum). so theres no way to use a single function which can produce the same output regardless of the time span i chose?

0 Karma

renjith_nair
Legend

Since you want the aggregation on time basis, and also ion fxied time of 1m, it's the same command you have to use. ie

|timechart span=1m sum ...

There are other ways also (|bucket span=1m|stats sum(...) by _time) but above is the better option.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

stephanefotso
Motivator

Hello! Did you nottice that your both search queries are different? ok.png is using the span=1m, but problem.png is not using it

SGF
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...