Re: Modifying Timeline Scale

g3s1oa · ‎12-09-2010

Is there a way to specify the scale of the time chart when performing a search.

For instance, if you perform a search over 4 hours it seems to set the scale of each bar to 1 hour, but below 4 hours and it sets the scale to minutes.... I'd like to perform a search that is over the last 24 hours with each timeline bar equal to 1 minute.

Thanks! -Matt

coolburner1337 · ‎06-07-2017

push

We have the same need. Please help! It's urgent 😕

Kind regards

richgalloway · ‎06-07-2017

You're responding to a thread that is more than six years old so it's unlikely to get a reply. You should post a new question.

---
If this reply helps you, Karma would be appreciated.

donleedman · ‎04-23-2013

is there any update to this. It would be a good thing to be able to adjust the flash timechart based on what time scale I want.

ftk · ‎12-09-2010

Take a look at the documentation for the timechart command. You can define the bucketing you want using the span parameter as such:

your search | timechart span=1m count by my_field

ftk · ‎12-10-2010

To my knowledge there is no way to modify that, as the time ranges and spans are calculated on the fly based on the timespans displayed.

g3s1oa · ‎12-09-2010

Yes, sorry for the confusion. I'm talking about the flash timechart at the top of the results screen and below the query bar. Is there a way to modify that?

ftk · ‎12-09-2010

Oh, are you talking about the flash timechart that is displayed every time you do a search? The timechart command is a reporting command.

g3s1oa · ‎12-09-2010

That seems to replace the results with the count of the number of events for each minute... Can I keep the individual results in the main viewing window, but change the timeline granularity?

Modifying Timeline Scale

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes