Splunk Search

Setting static timechart Y-Axis maximum value on command line.

RNB
Path Finder

I haven't found a question/answer specific to this issue timechart y-axis issue.

I have a timechart where I want the Y-Axis to always be 100%, but the chart is dynamic. Within the web interface you can specify this within the Format options, but if you use sendemail to send a PDF of the timechart the Y-Axis is currently 125% when the graphed items reach 95%. I want to ensure the Y-Axis is always 100% by enforcing it on the search command line.

RNB
Path Finder

@woodcock, thank you for your response and correcting my incorrect usage of the command.

Unfortunately, it still does not have any effect on the Y-Axis, but in looking back at my initial message I see that I did not make it clear that the Y-Axis scale I am referencing is the Y-Axis labels on the scale from 0 to 100, not limiting any data that might be spurious and causing a column over 100% appearing in the chart.

I do appreciate you time and help.
Thank you
Randy

alt text

0 Karma

woodcock
Esteemed Legend

The only way that I know of is to insert a dummy line that is always 100% all the way across, which you then ignore. You should call it something like "Always100percentIgnoreMe". You can do this by using append with gentimes:

https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/gentimes

0 Karma

RNB
Path Finder

@woodcock, thank you for your response.

I can see how gentimes would impact the X-Axis but when I implemented gentimes and append, it did not produce any changes in my chart that I could detect. However, I cannot see how gentimes would impact the Y-Axis. My search string was as follows:

| gentimes start=-7 | append [search %ASA-2-321006 NOT host=splunkserver] | rex "reached (?\d+)" | timechart span=1d max(Utilization) by host

To be specific about the application (an academic exercise), I am monitoring a device that is exhibiting characteristics of a memory leak. Over time the utilized memory increases and I discovered that around 95% utilization the Y-Axis changed from 0-100% utilization to 0-110% utilization, and at 97% the Y-Axis changed to 0-125%.

Ultimately, I am trying to establish the rate of growth per day, and at what point the memory leak causes the device to fail. I want the maximum Y-Axis scale to be 100 for a consistent view. This can be accomplished in the web interface in the Visualization tab, but I have not found a method from the command line as I am also using sendemail to send the PDF report that includes the graph that does not observe the Y-Axis Min/Max values in the web interface.

Ideally, I think an optional argument for timechart such as x-axis()= would be a big help.

0 Karma

woodcock
Esteemed Legend

Try this:

%ASA-2-321006 NOT host=splunkserver | rex "reached (?\d+)"
| append [|gentimes start=-7 | eval host="Always100percentIgnoreMe" | eval Utilization="100" ]
| timechart span=1d max(Utilization) by host
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...