Solved: Re: set span in timechart based on value from time...

sjovang · ‎08-19-2016

We have a dashboard panel showing network traffic. I want to override the default values used by Splunk.

e.g.

last 60min: span=1m
last 24h: span=15m
last 7 days: span=1h
last 30days: span=4h
all time: span=1d

Our first version of the panel used a hardcoded span of 15m, but obviously that won't work well when you're looking at 30days or all time.

gfuente · ‎08-19-2016

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

View solution in original post

gfuente · ‎08-19-2016

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

sjovang · ‎08-19-2016

Thanks. Your second solution was perfect

set span in timechart based on value from time picker

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms