Splunk Search

In timechart, over what time interval does a point refer to?

viggor
Path Finder

If I have a chart of the form

timechart span= T max(duration) as MaxLatency

and a point (x,y), then over what time interval is y computed?

[x-T/2, x+T/2) , [x, x+T) or something else?

Tags (3)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@viggor - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.

0 Karma

gokadroid
Motivator

As @somesoni2 mentions about it being undocumented but here is my shot at it. Bear the long answer 🙂

I think a value (x,y) in a time chart should be taken as a y value inside the bucket [x, x+T) where x represents the bucket start time. Hence how to calculate x (the starting bucket time of first bucket) is of importance as T will always be decided by the span you chose in timechart command. Hence I discuss below.

Remember x (if we take it as first bucket's start time so that first bucket becomes [x, x+T) ) has to be such that it covers the first event of your data (as per time chosen for search query) as well as such that it can cover all your data (till end time) in buckets of T spans.

I took some samples as follows to test how will a timechart divide the buckets when as part of the query it is given search start time (earliest) as StartInTimePicker , search end time (latest) as EndInTimePicker and a span as spanInSec while plotting the timechart . Based on multiple values that I chose here is how it divided and decided the startBucketTime and after certain T (spansInSec) the LastBucketTime

StartTimeInTimePicker   EndTimeInTimePicker Span    StartBucketTime     LastBucketTime
2016-11-09 00:29:00   2016-11-09 01:20:00   30m  2016-11-09 00:00:00    2016-11-09 01:00:00
2016-11-09 00:29:00   2016-11-09 01:31:00   30m  2016-11-09 00:00:00    2016-11-09 01:30:00
2016-11-09 00:29:59   2016-11-09 00:59:59   30m     2016-11-09 00:00:00 2016-11-09 00:30:00
2016-11-09 00:29:00   2016-11-09 00:31:00   9s    2016-11-09 00:28:57   2016-11-09 00:30:54
2016-11-09 00:29:00   2016-11-09 00:31:04   9s    2016-11-09 00:28:57   2016-11-09 00:31:03

It is clear from above that most probably ONLY the earliest , latest and span decides how buckets will be divided. Here is the formula below where you can replace the timePicker times (StartInTimePicker, EndInTimePicker) per times of your choice in timepicker and the timechart span of your query (spansInSec) to see if the results show up the way they do in your timechart buckets statistics table.

|makeresults
| eval StartInTimePicker="2016-11-09 00:29:00"
| eval EndInTimePicker="2016-11-09 00:31:04"
| eval spansInSec=9
| eval setStartEpoch=strptime(StartInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval setEndEpoch=strptime(EndInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval startBucketTime=strftime((setStartEpoch - (setStartEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| eval endBucketTime=strftime((setEndEpoch - (setEndEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| table StartInTimePicker,EndInTimePicker, spansInSec, startBucketTime, endBucketTime

Span is taken in seconds for understanding, however if you take span in minutes in timechart then fill the spanInSec value in above query with equivalent sec values and try yourself.

Once we have startBucketTime and endBucketTime it should be a simple task to represent [x, x+T), [x+T, x+T+T), [x+T+T, x+T+T+T) ... [x+(n-1)T, x+nT) buckets as a loop of interval generation as follows:

for( int ii=startBucketTime; ii<=endBucketTime; ii=ii+spanInSec)
   print "[ ii, ii+spanInSec)"

This is how I think bucket times are being generated to decide [x, x+T)

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't believe it's described anywhere in the documentation, but here is my observation.

The time interval depends upon the span and the timerange for the search. Consider the example timechart span=10m count with time range of last 4 hrs. What Splunk does is start creating time bucket for every 10 mins from time 0 ( 1970/01/01 00:00) to latest of the time range ( now), the time series will be 1970/01/01 00:00, 1970/01/01 10:00, 1970/01/01 20:00.......2016/11/09 15:30, 2016/11/09 15:40. Then it selects buckets based on time range, earliest and latest, and selects all buckets which includes the time range, including partial included buckets. So considering current time as 2016/11/09 15:48, and time range is from 2016/11/09 11:48 to 2016/11/09 15:48 , the buckets included in time range will be 2016/11/09 11:40, 2016/11/09 11:50, 2016/11/09 12:00.... 2016/11/09 15:30,2016/11/09 15:40).

0 Karma

niketn
Legend

Please add more details to your problem.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...