Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

The automatic timechart range changed after upgrading from Splunk 6.3.1 to 6.3.3. What can we set to revert to the old behavior?

johnraftery
Communicator
‎02-17-2016 04:38 AM

We have certain source types where there is only data from months ago. When putting this into a timechart, the chart was smart enough to see that it didn't need to display months of nothing, so the earliest and latest end of the chart were set to the earliest and latest times of the data. That was in 6.3.1. We've just upgraded to 6.3.3, and this is no longer working. Now, the chart shows everything from the start of the data until now, which is not useful at all. Is there a flag or something that we can set to revert to the old behavior?

Many thanks,
John Raftery

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎02-17-2016 05:06 AM

Have you had a look at the fixedrange argument for timechart? The description sounds interesting:

Specify whether or not to enforce the earliest and latest times of the search. Setting fixedrange=false allows the timechart command to constrict to just the time range with valid data.
0 Karma
Reply

johnraftery
Communicator
‎02-17-2016 06:18 AM

Thanks for pointing me towards fixedrange - this seems related to what I need. In the end though it just puts all of my data into one bin. This is my query:
eventtype=mlc sourcetype=vmstat-linux host=DBS_TEST_engine_profiler4 | timechart fixedrange=false bins=100 avg(cpu_used) by source
Interestingly, if I change bins=100 into span=1m, it produces what I want. However, I can't use span=1m because often there would be too many points to display - when the time range is too long.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎02-17-2016 06:29 AM

Hm, that's interesting. I must admit I've had my share of weird moments with timechart (with bins and span in particular). Is there any other setting you could use, e.g. minspan, that might help splunk identify the right bin size on its own without the need for bins? timechart really has a host of options. Unfortunately, I can't pinpoint the appropriate setting for you right off the bat.

0 Karma
Reply

johnraftery
Communicator
‎02-18-2016 08:41 AM

Ok, thanks anyway.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...