Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart auto scale, how to over-ride?

Michael
Contributor
‎03-31-2017 07:52 AM

I have a very simple query that shows the number of events over the course of a month -- plotted on a timechart:

| timechart count by host limit=0 span=1d

The graph that gets drawn puts the first event at the far left, and the last event on the far right, and changes the scale (start and end dates) accordingly.

For example, if I have some events on the 4th of the month, then more on the 8th -- the graph has two bars (in the case of a bar-graph) at both ends of the graph that starts with 4 and ends with 8 -- when I really want the whole month represented. Wish I could post a screenshot, but I think you get the picture. Played around with various timechart options and every legend option I could try...

How can I over-ride this behavior?

For the record, I understand why it's doing this: it doesn't know that there's a minimum x-axis value of 1 and max of 31. However, I'm looking for a way to set those min-max x-axis values.

Thanks!

0 Karma
Reply

DalJeanis
Legend
‎03-31-2017 09:31 AM

This part generates some test data that doesn't happen to start on the first of the month or end on the last day...

| makeresults 
| eval mytime=strptime("2017-02-03","%Y-%m-%d") 
| eval host ="host1 host2 host3 host1 host2 host4" | makemv host 
| eval thedays="3 4 5 3 6 7 8 2 12 15 1 16 20" | makemv thedays 
| mvexpand host | mvexpand thedays 
| eval _time=mytime+thedays*86400+(random()%5)*86400 
| table _time host

All of the above goes into the "your search here" portion below for testing. This part calculates count for each host for each day, then calculates the start and end of the month, and puts out one record for each host for the first and last days, with zero as the sum of the count. Notice that we've changed the word "count" to something else, to avoid confusing splunk's timechart command with its own count field...

 (your search here)
| bin _time span=1d
| stats count as reccount by host _time
| appendpipe 
    [| stats min(_time) as minTimeEpoch values(host) as host
     | eval minDateEpoch=strptime(strftime(minTimeEpoch,"%Y-%m")."-01","%Y-%m-%d")
     | eval maxDateEpoch=strptime(strftime(minDateEpoch+31*86400,"%Y-%m")."-01","%Y-%m-%d")-86400
     | eval temp=mvappend(minDateEpoch,maxDateEpoch)
     | eval reccount = 0 
     | mvexpand temp
     | eval _time=temp
     | table _time host reccount
     | mvexpand host
    ]
| timechart span=1d limit=0 sum(reccount) as count by host
0 Karma
Reply

somesoni2
Revered Legend
‎03-31-2017 08:56 AM

The default behaviour of timechart is to show points for whole selected time range and not just the period where it finds data. It's managed by attribute fixedrange which defaults to true. May be try to add that your search and see. Check if following works better

your base search | timechart span=1d limit=0 fixedrange=t count by host
Reply

woodcock
Esteemed Legend
‎03-31-2017 02:16 PM

@somesoni2 is DEAD ON. Look at the difference between these 2 searches:

index=_* earliest=-1mon@d latest=now
| where _time > relative_time(now(), "-20d@d")
| timechart count BY sourcetype fixedrange=f limit=0 span=1d

index=_* earliest=-1mon@d latest=now
| where _time > relative_time(now(), "-20d@d")
| timechart count BY sourcetype fixedrange=t limit=0 span=1d

The only thing that is strange is that (at least for my version), fixedrange=t is the default so yours should already be doing this, unless you are using fixedrange=f by mistake.

0 Karma
Reply

niketn
Legend
‎03-31-2017 08:50 AM

I think I have misinterpreted the question. Converting to comment, for the question to be picked up by others.

First of all keep your span next to the timechart command timechart span=1d. Sometimes timechart picks up default span based on duration selected.

Second see if you have a curb on upper limit of hosts rather than using limit=0. Based on your number of hosts in your data lets say above 40 for 30 days, you might get more than 1000 data points plotted and span will get automatically set based on your above query. You should ensure that limit and span are used in a way that they do not generate more than 1000 data points (if you really need them you can override the same through configuration file but it will be tough to even visualize those many data points).

Finally to answer our question, If you want all values for a month, you can add fillnull to include 0 values in the series you are plotting

| timechart  span=1d count by host limit=20 useother=f
| fillnull value=0
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...