Re: Passing span as argument to timechart

keerthana_k · ‎03-18-2013

Hi
I have a requirement wherein I have to display 3 different series in a single chart. I am using an append query to fetch all the results and manipulating the search job in my dashboard.xml. I also have a dropdown at the top to select time ranges. Based on the time ranges selected, my timechart's span should also vary ex. for last 60 minutes, the span should be 5 minutes and so on. When I pass the span value dynamically, I am getting an error saying "Invalid Option". Please tell me how this can be done.

martin_mueller · ‎03-19-2013

In that case you can hack yourself to dynamic spans like this:

index=_internal | timechart count [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=".case(range < 4000, "5m", range < 90000, "1h", 1=1, "12h") | return $span]

The subsearch probably is best put into a macro.

keerthana_k · ‎03-25-2013

I tried this but I keep getting the error: SearchException: This search cannot be parsed when parse_only is set to true. Any help with this?

helge · ‎01-19-2015

Works great!

keerthana_k · ‎03-19-2013

I have hard coded it for now. I cannot use fixed bins as my time ranges vary greatly. They are Last 60 minutes, Last 24 hours and Last 7 days.

martin_mueller · ‎03-18-2013

How are you passing the span now?

Have you considered specifying a fixed maximum number of bins instead?

Passing span as argument to timechart

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?