I have summary search creating summarised data (number of accesses in an access log) once per minute (we are specifying span=1m in the sitimechart command).
My users will want to be able to view a timechart for this data covering data periods between last 60 minutes and last 30 days, or even longer.
It would be nice to be able to provide a chart that is as granular as possible - but no more granular than 1 minute, or else you get the spikes/valleys in the time chart. For example, specifying bins=300 is great for all time ranges above "last 60 minutes", you get good granularity in the chart. If the user selects "last 60 mins" from the time range, timechart decides to use a 30 second span, so every second point has no data and the chart "breaks". Using a smaller "bins" value like 150 fixes the "last 60 mins" time period, but means that longer time period, such as "last 7 days" reverts to a 1 point per day, which is pretty useless.
Being able to set the minimum granularity (ie. to the equivalent span of the summary search) would be an excellent feature when it comes to summary dashboards.
PS. The documentation's claim that bins=300 is the default option for timechart appears to be wrong. You get much fewer bins by default, and if you specify bins=300 the span/chart changes. Test 4.1.5 and 4.3. It looks like someone spotted this a long time ago at http://splunk-base.splunk.com/answers/22499/timechart-using-too-few-bins
Timechart has an option that does exactly this, and it's called "minspan", and it was created precisely for summarized data:
... | timechart minspan=10m count
This will have bins that are at least 10m, but perhaps wider, depending on the timerange of the search. This option is compatible with bins, but not span, which is explicit.
Timechart has an option that does exactly this, and it's called "minspan", and it was created precisely for summarized data:
... | timechart minspan=10m count
This will have bins that are at least 10m, but perhaps wider, depending on the timerange of the search. This option is compatible with bins, but not span, which is explicit.
This is great. Worked perfect for drilling down on my summary data.
Great! It works perfectly, when combined with bins=300 or similar. I'm glad I asked now. It doesn't seem to be mentioned in the 4.3 documentation anywhere for timechart though...
You know what, I actually had tried minspan in the random hope it existed, but our production instance is 4.1.5 and I guess minspan doesn't exist on that version. It works on our test 4.3 instance.
Did you try:
|timechart span=1d ....
The span=1day argument buckets your aggregated variable into daily result set.
Thanks, but this doesn't work because for a short time period, such as "last 60 mins", you just get a single point in the chart.