Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- set span in timechart based on value from time pic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sjovang
Engager
08-19-2016
02:26 AM
We have a dashboard panel showing network traffic. I want to override the default values used by Splunk.
e.g.
last 60min: span=1m
last 24h: span=15m
last 7 days: span=1h
last 30days: span=4h
all time: span=1d
Our first version of the panel used a hardcoded span of 15m, but obviously that won't work well when you're looking at 30days or all time.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente
Motivator
08-19-2016
03:41 AM
Hello
This subquery will calculate the most granular possible span value for a given time range:
| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count
If you want exactly as you asked for, you can use this one instead:
| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count
Hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfuente
Motivator
08-19-2016
03:41 AM
Hello
This subquery will calculate the most granular possible span value for a given time range:
| timechart [ search index=_internal | head 1 | addinfo | eval span=ceil((info_max_time-info_min_time)/1000)."s" | return span] count
If you want exactly as you asked for, you can use this one instead:
| timechart [ search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=case(timerange<4000,"1m",timerange<90000,"15m",timerange<606000,"1h",timerange<2700000,"4h",1=1,"1d") | return span] count
Hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sjovang
Engager
08-19-2016
04:07 AM
Thanks. Your second solution was perfect
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
