Splunk Search

Why is the Time picker not working on search/dashboard?

michaelnorup
Communicator

Hi.

i have a search a show a graphchart for 14 months. If i change the timepicker it still shows 14 months for some reason. As you can see  in the picture, the time picker says 30 days, but the graph still shows 14 months. What gives?

michaelnorup_0-1693302534910.png

Also, is there a way to display a trendline on the graph? If i use the | trendline sma10(Cores) or the like, it changes the graph instead of just showing a linear line

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

using loadjob, you display the results of an already executed search, so the Time Picker hasn't any effect on it, you can use the Time Picker on searches, not on loadjob.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

using loadjob, you display the results of an already executed search, so the Time Picker hasn't any effect on it, you can use the Time Picker on searches, not on loadjob.

Ciao.

Giuseppe

michaelnorup
Communicator

Hi Giuseppe.

Thanks makes sense, thanks alot.

Do you have any idea about the trendline then? 🙂

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

about the trendline, if you havedata to create the trendline in the results of the loadjob , you could elaborate them.

I cannot see tem because, after a timechart you don't have other fields, see, removing the timeachart, which fields you have, so you could modify your search.

If you would help, please share your search in text mode (using the Insert/Edit Code Sample button), not as a screenshot, eventually with a masked part, to avoid to re-write all the search.

Ciao.

Giuseppe

0 Karma

michaelnorup
Communicator

Hi 

This is the loadjob:

| savedsearch "Server - XXXXXX" | fillnull value=- | search SerialNumber!=VMware* | eval ServerName = host | eval ServerName = upper(ServerName) | eval Virtual="N/A" | eval PowerState="PoweredOn" | append [| savedsearch "Server - Vmware info" | eval CPU_Arch = "x86_64" | eval Cores = CpuCount | eval DiskGB = ProvisionedSpaceGB | eval Virtual="VMware"] | table _time Date Customer ServerName Cores MemoryGB DiskGB CPU_Arch PowerState Virtual Landscape SID System Instance | fillnull value=- | eval Date=strftime(_time, "%x") | dedup ServerName,Date

Can you use that? ^^
Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @michaelnorup,

sorry I forgot the main question: which trend do you want to display?

In other words, with the previous search you have the used number of cores, what do you want to add to the graph?

Ciao.

Giuseppe

0 Karma

michaelnorup
Communicator

Would love to add a trend line for the amount of cores. So its easier to see if its trending up or down (And maybe even a forecast?)

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...