Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

set span in timechart based on value from time picker

sjovang
Engager
‎08-19-2016 02:26 AM

We have a dashboard panel showing network traffic. I want to override the default values used by Splunk.

e.g.

last 60min: span=1m
last 24h: span=15m
last 7 days: span=1h
last 30days: span=4h
all time: span=1d

Our first version of the panel used a hardcoded span of 15m, but obviously that won't work well when you're looking at 30days or all time.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎08-19-2016 03:41 AM

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎08-19-2016 03:41 AM

Hello

This subquery will calculate the most granular possible span value for a given time range:

| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count

If you want exactly as you asked for, you can use this one instead:

| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count

Hope it helps

Reply
Solved! Jump to solution

sjovang
Engager
‎08-19-2016 04:07 AM

Thanks. Your second solution was perfect

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...