Splunk Search

Timechart: How can I chart actual time vs. actual values

proletariat99
Communicator

Hi,
I am trying to chart a value over time, and the value may occur every few seconds, once per hour, once per day or with other varying amounts of frequency. An example event might look like this:

index=app_index
sourcetype=appname
source=applog
user=username
mycount=84
_time= 5/19/14 12:38:18.000 PM 

And I would like to chart _time vs. mycount.

Unfortunately, timechart only seems to want to play nicely with a) spans of time and b) statistical metadata about my value (for instance: max(mycount) or avg(mycount) instead of just value(mycount)).

Again, what I would LIKE to see is a timechart of mycount (y-axis) with the exact time when it occurred (x-axis). If I make my span=1m or smaller, Splunk can't handle the load and I don't need that level of granularity at all times for all sources, only for those that have high frequency of occurrence.

Is there any way to get around "span=" for timechart? Is there any way to timechart value(mycount) rather than timechart max(mycount) for peaks and timechart min(mycount) for valleys?

Looking at these time series charts in buckets and using metadata is horrifically misleading when you have frequency-oscillating data, and I don't feel comfortable providing results on misleading data.

0 Karma
1 Solution

somesoni2
Revered Legend

If you're getting one value per _time then all aggregate functions (avg, min, max, first, last) will give the absolute values.

Also, you can try doing just "| table _time, mycount" instead of timechart , if the no of events are small (~1000).

Below link provide way to dynamically change the span of the timechart. May be helpful.
http://answers.splunk.com/answers/54434/modifying-timecharts-span-based-on-selected-range

0 Karma

proletariat99
Communicator

Thanks, Bert. I actually read that one already, and I thought he was having a different problem, but I missed the suggestion by the 2nd commenter, which actually answered my question. This works:

index=app_index | rename count as pcount | chart values(pcount) by _time user

Well, Splunk can't timechart more than like 10,000 records, so it doesn't work famously, but it works.

thanks.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...