Splunk Search

In timechart, over what time interval does a point refer to?

viggor
Path Finder

If I have a chart of the form

timechart span= T max(duration) as MaxLatency

and a point (x,y), then over what time interval is y computed?

[x-T/2, x+T/2) , [x, x+T) or something else?

Tags (3)
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@viggor - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.

0 Karma

gokadroid
Motivator

As @somesoni2 mentions about it being undocumented but here is my shot at it. Bear the long answer 🙂

I think a value (x,y) in a time chart should be taken as a y value inside the bucket [x, x+T) where x represents the bucket start time. Hence how to calculate x (the starting bucket time of first bucket) is of importance as T will always be decided by the span you chose in timechart command. Hence I discuss below.

Remember x (if we take it as first bucket's start time so that first bucket becomes [x, x+T) ) has to be such that it covers the first event of your data (as per time chosen for search query) as well as such that it can cover all your data (till end time) in buckets of T spans.

I took some samples as follows to test how will a timechart divide the buckets when as part of the query it is given search start time (earliest) as StartInTimePicker , search end time (latest) as EndInTimePicker and a span as spanInSec while plotting the timechart . Based on multiple values that I chose here is how it divided and decided the startBucketTime and after certain T (spansInSec) the LastBucketTime

StartTimeInTimePicker   EndTimeInTimePicker Span    StartBucketTime     LastBucketTime
2016-11-09 00:29:00   2016-11-09 01:20:00   30m  2016-11-09 00:00:00    2016-11-09 01:00:00
2016-11-09 00:29:00   2016-11-09 01:31:00   30m  2016-11-09 00:00:00    2016-11-09 01:30:00
2016-11-09 00:29:59   2016-11-09 00:59:59   30m     2016-11-09 00:00:00 2016-11-09 00:30:00
2016-11-09 00:29:00   2016-11-09 00:31:00   9s    2016-11-09 00:28:57   2016-11-09 00:30:54
2016-11-09 00:29:00   2016-11-09 00:31:04   9s    2016-11-09 00:28:57   2016-11-09 00:31:03

It is clear from above that most probably ONLY the earliest , latest and span decides how buckets will be divided. Here is the formula below where you can replace the timePicker times (StartInTimePicker, EndInTimePicker) per times of your choice in timepicker and the timechart span of your query (spansInSec) to see if the results show up the way they do in your timechart buckets statistics table.

|makeresults
| eval StartInTimePicker="2016-11-09 00:29:00"
| eval EndInTimePicker="2016-11-09 00:31:04"
| eval spansInSec=9
| eval setStartEpoch=strptime(StartInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval setEndEpoch=strptime(EndInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval startBucketTime=strftime((setStartEpoch - (setStartEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| eval endBucketTime=strftime((setEndEpoch - (setEndEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| table StartInTimePicker,EndInTimePicker, spansInSec, startBucketTime, endBucketTime

Span is taken in seconds for understanding, however if you take span in minutes in timechart then fill the spanInSec value in above query with equivalent sec values and try yourself.

Once we have startBucketTime and endBucketTime it should be a simple task to represent [x, x+T), [x+T, x+T+T), [x+T+T, x+T+T+T) ... [x+(n-1)T, x+nT) buckets as a loop of interval generation as follows:

for( int ii=startBucketTime; ii<=endBucketTime; ii=ii+spanInSec)
   print "[ ii, ii+spanInSec)"

This is how I think bucket times are being generated to decide [x, x+T)

0 Karma

somesoni2
Revered Legend

I don't believe it's described anywhere in the documentation, but here is my observation.

The time interval depends upon the span and the timerange for the search. Consider the example timechart span=10m count with time range of last 4 hrs. What Splunk does is start creating time bucket for every 10 mins from time 0 ( 1970/01/01 00:00) to latest of the time range ( now), the time series will be 1970/01/01 00:00, 1970/01/01 10:00, 1970/01/01 20:00.......2016/11/09 15:30, 2016/11/09 15:40. Then it selects buckets based on time range, earliest and latest, and selects all buckets which includes the time range, including partial included buckets. So considering current time as 2016/11/09 15:48, and time range is from 2016/11/09 11:48 to 2016/11/09 15:48 , the buckets included in time range will be 2016/11/09 11:40, 2016/11/09 11:50, 2016/11/09 12:00.... 2016/11/09 15:30,2016/11/09 15:40).

0 Karma

niketn
Legend

Please add more details to your problem.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...