Splunk Search

Is there any way to set a higher default "bins=xxx" for timechart setting?

SplunkTrust
SplunkTrust

I know I can override the default bins=100 in any particular search. Is there any way to set something slightly higher as the default?

Use case: The majority of our timechart based searches bucket reasonably well, but both Weekly and Business Weekly reports should not trigger a bump to the next bin size (daily) and should remain hourly. Unfortunately, I don't wish to have to add "bins=170" or bins="200" to all searches and would like a way to set it as the default, which sounds like a very reasonable knob that ought to be available. I can't find it though.

I can't just set span=1h because the searches may vary between "show me today" to "show me the previous year." I need to keep the dynamic span aspect, just have a few more buckets available before it kicks me into larger buckets.

1 Solution

Motivator

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100

View solution in original post

Motivator

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100

View solution in original post

SplunkTrust
SplunkTrust

Works perfectly. After double-checking and all that, I added

[discretize]
default_time_bins = 200

to /opt/splunk/etc/system/local/limits.conf, restarted splunk and now weekly searches default to hourly bins. Perfect.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!