Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does splunk decide Time Interval for Time range Picker

tkadale
Path Finder
‎06-06-2011 11:01 PM

How does splunk decide time interval for Time Range selected in Time Range Picker.
For Ex- When we select "Last 7 Days" from time range picker and see the graph, the time interval is automatically done to 1 Day!
when we select "Last 24 hours" time interval automatically done to 4 hours!
How does Splunk decide this interval?
Please help me!

Thanks in advance!

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎06-07-2011 12:30 AM

The answer depends on what 'graph' you're referring to.

1) If you mean the graph in the default search view that always has green bars, we call that the 'timeline' generally. What determines the granularity there is the status_buckets argument that is sent when the search is first dispatched. The presence of the FlashTimeline module in the XML hierarchy will cause status_buckets to be set to 300.

http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch#POST

It's also a little-known fact that the FlashTimeline module exposes a statusBuckets param in the XML that you can use to change this from the default of 300.

http://www.splunk.com/base/Documentation/latest/Developer/ModuleReference#FlashTimeline

2) On the other hand if you mean the timecharts that you get when you're using the timechart command, then the default granularity comes from the timechart command itself.

Timechart accepts a bins argument OR a span argument. Of the two, people are generally more familiar with the span arg, because its more intuitive to say span=2h than bins=200.

However if you specify neither one of those two, the timechart command will use an implicit default for the bins param.

The documentation says that the default bins value is bins=300 but based on my observation I think this is incorrect and it's closer to 150. You can test this out by running various searches with timechart count and then with timechart bins=300 count, and in some timeranges you'll see a difference.

http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart

by the way, you should be aware that when you're using a 'split by' field in timechart, make sure to put the bins and span args right after the timechart and not after your split by field. Because if you put these args after the split by field, that tells Splunk that you want to control bucketing on the splitBy field, not on the time axis.... Try it and see because it's kind of cool. Run timechart count by date_minute bins=10 and timechart count by date_minute span=15 to see what I mean.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...