Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does splunk decide Time Interval for Time range Picker

tkadale
Path Finder
‎06-06-2011 11:01 PM

How does splunk decide time interval for Time Range selected in Time Range Picker.
For Ex- When we select "Last 7 Days" from time range picker and see the graph, the time interval is automatically done to 1 Day!
when we select "Last 24 hours" time interval automatically done to 4 hours!
How does Splunk decide this interval?
Please help me!

Thanks in advance!

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎06-07-2011 12:30 AM

The answer depends on what 'graph' you're referring to.

1) If you mean the graph in the default search view that always has green bars, we call that the 'timeline' generally. What determines the granularity there is the status_buckets argument that is sent when the search is first dispatched. The presence of the FlashTimeline module in the XML hierarchy will cause status_buckets to be set to 300.

http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch#POST

It's also a little-known fact that the FlashTimeline module exposes a statusBuckets param in the XML that you can use to change this from the default of 300.

http://www.splunk.com/base/Documentation/latest/Developer/ModuleReference#FlashTimeline

2) On the other hand if you mean the timecharts that you get when you're using the timechart command, then the default granularity comes from the timechart command itself.

Timechart accepts a bins argument OR a span argument. Of the two, people are generally more familiar with the span arg, because its more intuitive to say span=2h than bins=200.

However if you specify neither one of those two, the timechart command will use an implicit default for the bins param.

The documentation says that the default bins value is bins=300 but based on my observation I think this is incorrect and it's closer to 150. You can test this out by running various searches with timechart count and then with timechart bins=300 count, and in some timeranges you'll see a difference.

http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart

by the way, you should be aware that when you're using a 'split by' field in timechart, make sure to put the bins and span args right after the timechart and not after your split by field. Because if you put these args after the split by field, that tells Splunk that you want to control bucketing on the splitBy field, not on the time axis.... Try it and see because it's kind of cool. Run timechart count by date_minute bins=10 and timechart count by date_minute span=15 to see what I mean.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...