Solved: set span in timechart based on value from time pic...

sjovang · ‎08-19-2016

We have a dashboard panel showing network traffic. I want to override the default values used by Splunk.

e.g.

last 60min: span=1m
last 24h: span=15m
last 7 days: span=1h
last 30days: span=4h
all time: span=1d

Our first version of the panel used a hardcoded span of 15m, but obviously that won't work well when you're looking at 30days or all time.

gfuente · ‎08-19-2016

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

View solution in original post

gfuente · ‎08-19-2016

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

sjovang · ‎08-19-2016

Thanks. Your second solution was perfect

set span in timechart based on value from time picker

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!