If you perform a query that returns events that do not hit the left or right "edge" of your specified time range, and then timechart these events, the timechart axis starts and ends with the first and last event rather than the earliest/latest clause you specified in your query.
I would expect the timechart scale to "honor" the query time range.
It is an infuriating problem for those who want multiple timecharts on a dashboard as the scale on the various charts may not tally.
To illustrate, here is a rather contrived example you can run yourself
The below simulates a query over the last day in which all returned events fell within the middle 12h of that day - i.e. nothing during the first/last 4h
index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| timechart span=5m count
Notice that the timechart's x axis starts and ends with the first/last datapoint - in other words it only shows the "populated" 12h rather than the whole 24h.
Now for the inelegant workaround. It appears that timechart suddenly DOES honor your timerange if you put a reporting command BEFORE the timechart, for example
index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| bucket span=5m _time
| stats count BY _time
| timechart span=5m avg(count)
I currently use this as a workaround, but it is artificial and confusing for maintainers.
Anyone know of a more elegant fix?
@aferone I still don't know of a proper fix, but I habitually use the following workaround.
First, to recap the problem demonstrator query - it looks back over 24 hours but throws away all but the "middle" 12h of the period. The defect causes the scale bounds to "snap" to the data extents ....
index=_audit earliest=-1d latest=now
| where _time<(now()-60*60*4) AND _time>(now()-60*60*20)
| timechart span=5m count AS tally BY host
Adding the following two lines resolves that issue. You can slap these lines onto any problem query and it will do the same for you. Only thing is that you must stipulate the same span value as the first timechart, but otherwise it is totally reusable as-is...
...
| untable _time series value
| timechart span=5m first(value) BY series
Did this ever get resolved? I had the same question here:
Thanks.
I have found a similar complaint (http://answers.splunk.com/answers/96869/timechart-yesterday-forced-to-display-full-24-hours)
This guy's workaround is a bit better than mine, which is to stick a fillnull just before the timechart.
So this
index=* earliest=-1d latest=now | head 1 | timechart span=1h count
becomes
index=* earliest=-1d latest=now | head 1 | fillnull value=NULL | timechart span=1h count
The problem with "fillnull value=NULL" is that it changes my search completion time from 10 seconds to 3 minutes.
Therefore that's not a good workaround.
The only one that works for me is using stats before timechart.
Anyway, I put in a bug report for this issue.
What about the fixedrange option for timechart? From the docs page (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart?r=searchtip)
fixedrange
Syntax: fixedrange=
Description: (Not valid for 4.2) Specify whether or not to enforce the earliest and latest times of the search. Setting it to false allows the timechart to constrict to just the time range with valid data. Default is True | T.
I know in the latest version of Splunk this defaults to True, but if you're not on the latest version of Splunk, then it might not be set to "true" by default. I've had similar issues, and this has fixed the issue.
I am on version 6.0.1 so pretty recent. The fixedrange=T promises to solve my issue, but doesn't deliver
To illustrate, the following query still fits the x axis to the data
index=* earliest=-1d latest=now | head 1 | timechart fixedrange=T count
So I guess this is a Splunk bug then
even if you don't use the stats and bucket it will show you the time interval you want in the timechart. If you don't mention the span it is showing one data point that you are correct.
@linu1988 I don't have an issue with the allowable number of datapoints on a chart, nor the span.
If you run this query:
index=* earliest=-1d latest=now | head 1 | timechart count
You'll see the x axis does not cover the whole day; it just "fits" to the one datapoint returned
Hello,
It's because of the limitation on the JS and Flashchart. Take a look at this post. If you don't put the span then timechart will smartly adjust the values.
Thanks
Can't seem to edit my question to get rid of a formatting gremlin. The queries should have been:
index=_audit earliest=-1d latest=now
| where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20)
| timechart span=5m count
..... and .....
index=_audit earliest=-1d latest=now
| where _time<(now()-60 * 60 * 4) AND _time>(now()-60 * 60 * 20)
| bucket span=5m _time
| stats count BY _time
| timechart span=5m avg(count)
