Splunk Search

How to prevent my timechart search results from being truncated to display all data points?

avisram
Path Finder

I am attempting to generate an area chart for the past 15 days using the following search:

index=test sourcetype=abcd source=1234 field1=* | timechart span=1h count by field1 useother=f limit=0

field1 has approximately 160 distinct values. Given this in conjunction with the time range and 1 hour span this results in almost 60,000 data points to be plotted. When attempting to chart this, I get the error

These results may be truncated. Your search generated too much data for the current visualization configuration.

I have done the following to attempt to resolve this issue:

  1. Edit the source XML for the chart/dashboard panel by adding charting.data.count=0
  2. Edit the source XML for the chart/dashboard panel by adding charting.resultTruncationLimit=60000
  3. Edit the local web.conf file by adding jschart_truncation_limit=0

None of the above fixes have resulted in the chart rendering with all the results. Are there any other potential solutions to this issue that I can try?

Thanks for your assistance.

kbecker
Communicator

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma

woodcock
Esteemed Legend

Part of the reasons for this "unavoidable error" is that charts that are busier than 50K data elements are pretty much too busy to be useful. It is Splunk's way of telling you, "Don't be ridiculous, nobody will even use it!"

The way to do this is to segment your field1 value-space into logical sub-groupings and plot each subgrouping on a separate dashboard by adding | where tag=field1USA for one and | where tag=field1UK another, etc. This is what I have done.

avisram
Path Finder

I agree in theory that plotting this large a volume of data may not be useful. However, in transitioning to Splunk we are trying to convert all existing reports and dashboards that are being currently generated in other tools. The dashboard panel in question is currently being generated successfully in Excel.

That being said I believe the issue is not so much related to the number of data points as it is to the number of series being attempted to chart. According to Splunk documentation, in version 6.2.8 JSChart is limited to plotting a maximum of 50 series - http://docs.splunk.com/Documentation/Splunk/6.2.8/AdvancedDev/CustomChartingConfig-JSChart

There is no current version of this document for 6.3.3. Can someone validate that this maximum limit also applies to 6.3.3?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...