Splunk Search

Setting static timechart Y-Axis maximum value on command line.

Path Finder

I haven't found a question/answer specific to this issue timechart y-axis issue.

I have a timechart where I want the Y-Axis to always be 100%, but the chart is dynamic. Within the web interface you can specify this within the Format options, but if you use sendemail to send a PDF of the timechart the Y-Axis is currently 125% when the graphed items reach 95%. I want to ensure the Y-Axis is always 100% by enforcing it on the search command line.

Path Finder

@woodcock, thank you for your response and correcting my incorrect usage of the command.

Unfortunately, it still does not have any effect on the Y-Axis, but in looking back at my initial message I see that I did not make it clear that the Y-Axis scale I am referencing is the Y-Axis labels on the scale from 0 to 100, not limiting any data that might be spurious and causing a column over 100% appearing in the chart.

I do appreciate you time and help.
Thank you

alt text

0 Karma

Esteemed Legend

The only way that I know of is to insert a dummy line that is always 100% all the way across, which you then ignore. You should call it something like "Always100percentIgnoreMe". You can do this by using append with gentimes:


0 Karma

Path Finder

@woodcock, thank you for your response.

I can see how gentimes would impact the X-Axis but when I implemented gentimes and append, it did not produce any changes in my chart that I could detect. However, I cannot see how gentimes would impact the Y-Axis. My search string was as follows:

| gentimes start=-7 | append [search %ASA-2-321006 NOT host=splunkserver] | rex "reached (?\d+)" | timechart span=1d max(Utilization) by host

To be specific about the application (an academic exercise), I am monitoring a device that is exhibiting characteristics of a memory leak. Over time the utilized memory increases and I discovered that around 95% utilization the Y-Axis changed from 0-100% utilization to 0-110% utilization, and at 97% the Y-Axis changed to 0-125%.

Ultimately, I am trying to establish the rate of growth per day, and at what point the memory leak causes the device to fail. I want the maximum Y-Axis scale to be 100 for a consistent view. This can be accomplished in the web interface in the Visualization tab, but I have not found a method from the command line as I am also using sendemail to send the PDF report that includes the graph that does not observe the Y-Axis Min/Max values in the web interface.

Ideally, I think an optional argument for timechart such as x-axis()= would be a big help.

0 Karma

Esteemed Legend

Try this:

%ASA-2-321006 NOT host=splunkserver | rex "reached (?\d+)"
| append [|gentimes start=-7 | eval host="Always100percentIgnoreMe" | eval Utilization="100" ]
| timechart span=1d max(Utilization) by host
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!