Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you create multiple timechart graphs with the same time scale?

peterson_wwt
New Member
‎03-28-2019 10:37 AM

I have many different but simultaneous metrics that I am graphing over time. The y axis for each have different ranges. (0 to a million or 30% to 70% or whatever) but the time (x axis) is concurrent for all.

I want to put these charts in a dashboard, vertically stacked, and have the timescales for each match up exactly.

Some things I have tried that don't quite work:

  • Multi-series mode: This forces me to choose one chart format for each, but I need some to be lines, some to be bar charts, and some to be bubble charts.
  • Chart overlay: This is fine for two series, but I have many.
  • Creating one big table and then just field - away the ones I don't care about about for each panel. This is tedious and I have not gotten consistent results. Also, the search for the report becomes complex as I have multiple indexes, sources and sourcetypes for each time series. Ideally each search could run independent but share a single timescale for the entire dashboard.

I have seen tools like Grafana do this easily. I don't need the shared crosshair like Grafana does, but I do need a shared timescale.

Surely there is a way to do this with Splunk and I am just ignorant.

Please help!

Thanks

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-28-2019 11:51 AM

You can set the static y axis values by going to Format and selecting the static ranges

0 Karma
Reply

peterson_wwt
New Member
‎03-28-2019 02:37 PM

It is the x axis (time) that I need to be manually set actually.

y axis should conform to whatever the range of the data is.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-28-2019 02:42 PM

Are you referring to splitting time into finer granularities? If so, you use span parameter on your timechart command

0 Karma
Reply

peterson_wwt
New Member
‎03-28-2019 02:52 PM

that is part of it, but not entirely the thing. I need the left and right bounds of the time scale to be identical for multiple charts. In doing that I also expect that the bucket size (which you could set with span) to be identical, but don't want to set span explicitly because the timescale will vary widely from dashboard to dashboard.

After doing some reading it seems I need to set <earliest> and <latest> in the xml for each chart. I am trying to do that now based off a report but can't figure out how to set those tokens yet.

0 Karma
Reply

PavelNed
Explorer
‎12-09-2020 07:57 AM

@peterson_wwt  found answer to this?

Facing exactly the same problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...