Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Passing span as argument to timechart

keerthana_k
Communicator
‎03-18-2013 05:52 AM

Hi
I have a requirement wherein I have to display 3 different series in a single chart. I am using an append query to fetch all the results and manipulating the search job in my dashboard.xml. I also have a dropdown at the top to select time ranges. Based on the time ranges selected, my timechart's span should also vary ex. for last 60 minutes, the span should be 5 minutes and so on. When I pass the span value dynamically, I am getting an error saying "Invalid Option". Please tell me how this can be done.

Tags (2)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-19-2013 03:34 PM

In that case you can hack yourself to dynamic spans like this:

index=_internal | timechart count [stats count | addinfo | eval range = info_max_time - info_min_time | eval span = "span=".case(range < 4000, "5m", range < 90000, "1h", 1=1, "12h") | return $span]

The subsearch probably is best put into a macro.

Reply

keerthana_k
Communicator
‎03-25-2013 02:42 AM

I tried this but I keep getting the error: SearchException: This search cannot be parsed when parse_only is set to true. Any help with this?

Reply

helge
Builder
‎01-19-2015 03:52 PM

Works great!

0 Karma
Reply

keerthana_k
Communicator
‎03-19-2013 01:43 AM

I have hard coded it for now. I cannot use fixed bins as my time ranges vary greatly. They are Last 60 minutes, Last 24 hours and Last 7 days.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-18-2013 06:02 AM

How are you passing the span now?

Have you considered specifying a fixed maximum number of bins instead?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...