Splunk Search

Setting static timechart Y-Axis maximum value on command line.

RNB
Path Finder

I haven't found a question/answer specific to this issue timechart y-axis issue.

I have a timechart where I want the Y-Axis to always be 100%, but the chart is dynamic. Within the web interface you can specify this within the Format options, but if you use sendemail to send a PDF of the timechart the Y-Axis is currently 125% when the graphed items reach 95%. I want to ensure the Y-Axis is always 100% by enforcing it on the search command line.

RNB
Path Finder

@woodcock, thank you for your response and correcting my incorrect usage of the command.

Unfortunately, it still does not have any effect on the Y-Axis, but in looking back at my initial message I see that I did not make it clear that the Y-Axis scale I am referencing is the Y-Axis labels on the scale from 0 to 100, not limiting any data that might be spurious and causing a column over 100% appearing in the chart.

I do appreciate you time and help.
Thank you
Randy

alt text

0 Karma

woodcock
Esteemed Legend

The only way that I know of is to insert a dummy line that is always 100% all the way across, which you then ignore. You should call it something like "Always100percentIgnoreMe". You can do this by using append with gentimes:

https://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/gentimes

0 Karma

RNB
Path Finder

@woodcock, thank you for your response.

I can see how gentimes would impact the X-Axis but when I implemented gentimes and append, it did not produce any changes in my chart that I could detect. However, I cannot see how gentimes would impact the Y-Axis. My search string was as follows:

| gentimes start=-7 | append [search %ASA-2-321006 NOT host=splunkserver] | rex "reached (?\d+)" | timechart span=1d max(Utilization) by host

To be specific about the application (an academic exercise), I am monitoring a device that is exhibiting characteristics of a memory leak. Over time the utilized memory increases and I discovered that around 95% utilization the Y-Axis changed from 0-100% utilization to 0-110% utilization, and at 97% the Y-Axis changed to 0-125%.

Ultimately, I am trying to establish the rate of growth per day, and at what point the memory leak causes the device to fail. I want the maximum Y-Axis scale to be 100 for a consistent view. This can be accomplished in the web interface in the Visualization tab, but I have not found a method from the command line as I am also using sendemail to send the PDF report that includes the graph that does not observe the Y-Axis Min/Max values in the web interface.

Ideally, I think an optional argument for timechart such as x-axis()= would be a big help.

0 Karma

woodcock
Esteemed Legend

Try this:

%ASA-2-321006 NOT host=splunkserver | rex "reached (?\d+)"
| append [|gentimes start=-7 | eval host="Always100percentIgnoreMe" | eval Utilization="100" ]
| timechart span=1d max(Utilization) by host
0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...