Splunk Search

Timechart - Is there a way to define the <selection> area in-code?

nsassine
Explorer

Hello,

I'm using a timechart with the following block for allowing the user to select a specific area and see stats on it.

 

 

        <selection>
          <set token="TOKEN_TIME_selection.earliest">$start$</set>
          <set token="TOKEN_TIME_selection.latest">$end$</set>
        </selection>

 

 

However, the chart has an area of interest that I can detect and that I want to be selected by default. I still want to show the whole chart (so I can't to use <earliest> and <latest>), but it would be nice to show it with the area of interest already selected by default, and therefore showing stats for that.

To clarify what I mean, this is what I would like to show by default:

nsassine_0-1664785188816.png

I can't find anything in the documentation to define the <selection> area in-code, so I would like to know if there is any way to do it.

Thank you!

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

There are techniques to place visible markers on a timechart.  Assuming you either calculated the token values in this chart, or pre-calculated them in init section, $interested_start$,  $interested_end$, and that your groupby field is called series, a simple trick could be

 

| timechart count by series
| appendcols
    [| tstats count as "zoom here" where index=_internal sourcetype=splunkd by _time
    | eval "zoom here" = if($interested_end$ > _time AND _time > $interested_start$, 'zoom here', 0)
    | fields "zoom here"]

 

In this example, _internal index is used with tstats.; if you choose your real index, real sourcetype, etc., the new series "zoom here" will be roughly the sum of all original series, thus higher than all other series, like

zoom-mark.png

This may or may not be desirable.  If this is undesirable, or if you choose to use _internal, you will need to put "zoom here" on chart overlay and enable "View as axis"; this will normalize the marker series, like this:

zoom-mark-normalized.png

Hope this helps.

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Based on your mockup, you want the chart to break linear time axis and zoom in place.  I don't believe there is a defined function for this.  As an alternative, you want to look into Zoom to another chart. (And Define conditional matching which will help you set token values based on your detected area of interest.)

0 Karma

nsassine
Explorer

Thank you for your answer!

I'm not sure if I'm using the right terminology or if I completely understood what you mean, but I already know how to zoom to another chart and, in general, to pass the $start$ and $end$ of a selected area as tokens,

What I'm looking for is a way to have the highlighted area already pre-selected (not zoomed in) when you open the dashboard, as shown on the image, to get the stats for only the selected area by default and allow the user to change the selection if needed.

For reference, I use the tokens I set for a statistics table right under the chart:

          <earliest>$TOKEN_TIME_selection.earliest$</earliest>
          <latest>$TOKEN_TIME_selection.latest$</latest>

If having a visible selection area pre-placed isn't possible, I could also work with detecting whether the user has selected an area or not, and if no selection is detected I would set by default $TOKEN_TIME_selection.earliest$ and $TOKEN_TIME_selection.latest$ to the area of interest.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

There are techniques to place visible markers on a timechart.  Assuming you either calculated the token values in this chart, or pre-calculated them in init section, $interested_start$,  $interested_end$, and that your groupby field is called series, a simple trick could be

 

| timechart count by series
| appendcols
    [| tstats count as "zoom here" where index=_internal sourcetype=splunkd by _time
    | eval "zoom here" = if($interested_end$ > _time AND _time > $interested_start$, 'zoom here', 0)
    | fields "zoom here"]

 

In this example, _internal index is used with tstats.; if you choose your real index, real sourcetype, etc., the new series "zoom here" will be roughly the sum of all original series, thus higher than all other series, like

zoom-mark.png

This may or may not be desirable.  If this is undesirable, or if you choose to use _internal, you will need to put "zoom here" on chart overlay and enable "View as axis"; this will normalize the marker series, like this:

zoom-mark-normalized.png

Hope this helps.

nsassine
Explorer

I think this is the closest we can get to what I need. Instead of placing another chart, I went with adding annotations on the chart for the area of interest, which in my opinion looks cleaner.

Thanks for your answers!

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...