Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart: How can I chart actual time vs. actual values

proletariat99
Communicator
‎05-19-2014 12:22 PM

Hi,
I am trying to chart a value over time, and the value may occur every few seconds, once per hour, once per day or with other varying amounts of frequency. An example event might look like this:

index=app_index
sourcetype=appname
source=applog
user=username
mycount=84
_time= 5/19/14 12:38:18.000 PM

And I would like to chart _time vs. mycount.

Unfortunately, timechart only seems to want to play nicely with a) spans of time and b) statistical metadata about my value (for instance: max(mycount) or avg(mycount) instead of just value(mycount)).

Again, what I would LIKE to see is a timechart of mycount (y-axis) with the exact time when it occurred (x-axis). If I make my span=1m or smaller, Splunk can't handle the load and I don't need that level of granularity at all times for all sources, only for those that have high frequency of occurrence.

Is there any way to get around "span=" for timechart? Is there any way to timechart value(mycount) rather than timechart max(mycount) for peaks and timechart min(mycount) for valleys?

Looking at these time series charts in buckets and using metadata is horrifically misleading when you have frequency-oscillating data, and I don't feel comfortable providing results on misleading data.

0 Karma
Reply
1 Solution
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2014 12:57 PM

If you're getting one value per _time then all aggregate functions (avg, min, max, first, last) will give the absolute values.

Also, you can try doing just "| table _time, mycount" instead of timechart , if the no of events are small (~1000).

Below link provide way to dynamically change the span of the timechart. May be helpful.
http://answers.splunk.com/answers/54434/modifying-timecharts-span-based-on-selected-range

0 Karma
Reply
Solved! Jump to solution

proletariat99
Communicator
‎05-19-2014 12:54 PM

Thanks, Bert. I actually read that one already, and I thought he was having a different problem, but I missed the suggestion by the 2nd commenter, which actually answered my question. This works:

index=app_index | rename count as pcount | chart values(pcount) by _time user

Well, Splunk can't timechart more than like 10,000 records, so it doesn't work famously, but it works.

thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...