Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Passing span as argument to timechart

keerthana_k
Communicator
‎03-18-2013 05:52 AM

Hi
I have a requirement wherein I have to display 3 different series in a single chart. I am using an append query to fetch all the results and manipulating the search job in my dashboard.xml. I also have a dropdown at the top to select time ranges. Based on the time ranges selected, my timechart's span should also vary ex. for last 60 minutes, the span should be 5 minutes and so on. When I pass the span value dynamically, I am getting an error saying "Invalid Option". Please tell me how this can be done.

Tags (2)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-19-2013 03:34 PM

In that case you can hack yourself to dynamic spans like this:

index=_internal | timechart count [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=".case(range < 4000, "5m", range < 90000, "1h", 1=1, "12h") | return $span]

The subsearch probably is best put into a macro.

Reply

keerthana_k
Communicator
‎03-25-2013 02:42 AM

I tried this but I keep getting the error: SearchException: This search cannot be parsed when parse_only is set to true. Any help with this?

Reply

helge
Builder
‎01-19-2015 03:52 PM

Works great!

0 Karma
Reply

keerthana_k
Communicator
‎03-19-2013 01:43 AM

I have hard coded it for now. I cannot use fixed bins as my time ranges vary greatly. They are Last 60 minutes, Last 24 hours and Last 7 days.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-18-2013 06:02 AM

How are you passing the span now?

Have you considered specifying a fixed maximum number of bins instead?

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...