I haven't found a question/answer specific to this issue timechart y-axis issue.
I have a timechart where I want the Y-Axis to always be 100%, but the chart is dynamic. Within the web interface you can specify this within the Format options, but if you use sendemail to send a PDF of the timechart the Y-Axis is currently 125% when the graphed items reach 95%. I want to ensure the Y-Axis is always 100% by enforcing it on the search command line.
@woodcock, thank you for your response and correcting my incorrect usage of the command.
Unfortunately, it still does not have any effect on the Y-Axis, but in looking back at my initial message I see that I did not make it clear that the Y-Axis scale I am referencing is the Y-Axis labels on the scale from 0 to 100, not limiting any data that might be spurious and causing a column over 100% appearing in the chart.
I do appreciate you time and help.
The only way that I know of is to insert a dummy line that is always 100% all the way across, which you then ignore. You should call it something like "Always100percentIgnoreMe". You can do this by using
@woodcock, thank you for your response.
I can see how gentimes would impact the X-Axis but when I implemented gentimes and append, it did not produce any changes in my chart that I could detect. However, I cannot see how gentimes would impact the Y-Axis. My search string was as follows:
| gentimes start=-7 | append [search %ASA-2-321006 NOT host=splunkserver] | rex "reached (?\d+)" | timechart span=1d max(Utilization) by host
To be specific about the application (an academic exercise), I am monitoring a device that is exhibiting characteristics of a memory leak. Over time the utilized memory increases and I discovered that around 95% utilization the Y-Axis changed from 0-100% utilization to 0-110% utilization, and at 97% the Y-Axis changed to 0-125%.
Ultimately, I am trying to establish the rate of growth per day, and at what point the memory leak causes the device to fail. I want the maximum Y-Axis scale to be 100 for a consistent view. This can be accomplished in the web interface in the Visualization tab, but I have not found a method from the command line as I am also using sendemail to send the PDF report that includes the graph that does not observe the Y-Axis Min/Max values in the web interface.
Ideally, I think an optional argument for timechart such as x-axis()= would be a big help.
%ASA-2-321006 NOT host=splunkserver | rex "reached (?\d+)" | append [|gentimes start=-7 | eval host="Always100percentIgnoreMe" | eval Utilization="100" ] | timechart span=1d max(Utilization) by host