Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Native Chart Format Limitations

himynamesdave
Contributor
‎11-23-2013 02:20 PM

I'm trying to build a timechart (line graph) over 13 years using a 12 month span.

My search to generate the visualisation looks like this:

sourcetype="ec_com_donations_CSV"| bin _time span=12mon| timechart sum(Value) by Entity_name useother=f limit=6

And produces a line graph (-line) the looks like this:

alt text

If I choose a span <= to 1mon the visualisation shows an adjoining line between points, as intended. However, anything > 1mon, like my search above, the lines disappear.

Why is this? I know this can probably be resolved through XML, but can it be done natively in Splunk (am I missing something obvious!)?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-23-2013 08:30 PM

Check your format options on the line graph. One choice is between the options "Gap", "Treat as Zero", and "Trend". Try different options and see if you get what you want.

Perhaps a better option is to run the search this way:

sourcetype="ec_com_donations_CSV" 
| timechart sum(Value) by Entity_name useother=f limit=6 span=12mon

In your original search, you used the bin command to group the data, but timechart didn't know about the grouping and therefore saw the data as disjoint points. In this version, timechart itself is doing the grouping and therefore should preserve the lines.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-23-2013 08:30 PM

Check your format options on the line graph. One choice is between the options "Gap", "Treat as Zero", and "Trend". Try different options and see if you get what you want.

Perhaps a better option is to run the search this way:

sourcetype="ec_com_donations_CSV" 
| timechart sum(Value) by Entity_name useother=f limit=6 span=12mon

In your original search, you used the bin command to group the data, but timechart didn't know about the grouping and therefore saw the data as disjoint points. In this version, timechart itself is doing the grouping and therefore should preserve the lines.

Reply
Solved! Jump to solution

lguinn2
Legend
‎11-26-2013 07:24 AM

Wow - that's weird. I did actually know that Splunk sees the span option of timechart as somewhat advisory in nature. But I have never seen timechart refuse to create larger time buckets, only smaller ones. (For example, timechart can't show 30 days of data in seconds.) And in recent versions, I have seen Splunk issue a message rather than simply ignoring the option.

0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎11-26-2013 06:52 AM

Thanks for your help.

I managed to solve it by selecting - Format > General > Null Values > Join - using my original search command.

I'm interested to know more about why the "span" command in the search you suggested does not work (this was the search I tried first for this viz). Using "span=12mon" does not group the data into 12 month buckets (it remains in 1 month intervals) - which is why I experimented with the "bin" command.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...