I'm using a timechart to show the "concurrent users per 5-minute bucket". This works when I chart it for one day or one week, but when I chart it for a month, I just see a flat line at 0. Maybe it's because there are too many buckets. How else would I get this to display?
host="web*.p1.dfw.minted.com" (source="/srv/minted/logs/app-requests.log" OR source="/srv/minted/logs/app-requests.log-*") | jsonkv | search NOT isnull(visitor_id) | bucket _time span=5m | timechart span="5m" dc(visitor_id) as visitors
I believe timechart currently has a limit of 1000 data points on the x-axis, so you're most likely going over that limit (as of Splunk 4.2.3). The max number of days you'll be able to display on a timechart with a 5min resolution will be ~3 days (865 5-minute buckets). Using a span of 45m will get you close to the best resolution possible at 30d without hitting that limit (45m windows for 30 days = 961 buckets out of a max of 1000).
Consider increasing your bucket span to a larger interval like 45 or 60m in order to display 30 days worth of data in a timechart.
Also, if you're reporting over long time ranges like 30 days, you should probably look into Summary Indexing to speed up the time to search and generate reports. I've listed helpful links on Summary Indexing below:
Here's some info on Summary Indexing:
Video: http://www.splunk.com/view/SP-CAAACZW
Docs: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes
More: http://www.splunk.com/wiki/Community:Summary_Indexing
External Reference: http://www.davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/
I'll also just mention that if each data point has a width of one pixel, and your average computer monitor can only fit 1080 pixels across the width (1080p), then you're going to run into that 1000 x-axis datapoint limit even if we did increase the maximum. Even my fancypants 30" monitor can only display 1600 pixels across, so I wouldn't be surprised if this remains limited until we get 4320p monitors or figure out how to split pixels 😉
I had a very similar requirement... you just need to bucket into 5 minute increments then bucket again into a larger window (eg. 1 hour) and calculate the average over than span:
host="web*.p1.dfw.minted.com" (source="/srv/minted/logs/app-requests.log" OR source="/srv/minted/logs/app-requests.log-*") | jsonkv | search NOT isnull(visitor_id) |
bucket _time span=5m | stats dc(visitor_id) as visitors by _time | bucket _time span=1h | timechart span=1h avg(visitors) as avg_visitors
All the best,
Luke 🙂
I believe timechart currently has a limit of 1000 data points on the x-axis, so you're most likely going over that limit (as of Splunk 4.2.3). The max number of days you'll be able to display on a timechart with a 5min resolution will be ~3 days (865 5-minute buckets). Using a span of 45m will get you close to the best resolution possible at 30d without hitting that limit (45m windows for 30 days = 961 buckets out of a max of 1000).
Consider increasing your bucket span to a larger interval like 45 or 60m in order to display 30 days worth of data in a timechart.
Also, if you're reporting over long time ranges like 30 days, you should probably look into Summary Indexing to speed up the time to search and generate reports. I've listed helpful links on Summary Indexing below:
Here's some info on Summary Indexing:
Video: http://www.splunk.com/view/SP-CAAACZW
Docs: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Configuresummaryindexes
More: http://www.splunk.com/wiki/Community:Summary_Indexing
External Reference: http://www.davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/
I'll also just mention that if each data point has a width of one pixel, and your average computer monitor can only fit 1080 pixels across the width (1080p), then you're going to run into that 1000 x-axis datapoint limit even if we did increase the maximum. Even my fancypants 30" monitor can only display 1600 pixels across, so I wouldn't be surprised if this remains limited until we get 4320p monitors or figure out how to split pixels 😉
Timechart does take optional span and bin arguments: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart. However, the problem you're facing is the 1000 data-point limitation of timechart (also a limitation of 1080p resolution). If you need 5-minute buckets, then you are limited to a 3-day total range of the timechart.
Thanks, I'm using summary indexing already but simplified it out of the question. 🙂
My goal is to measure "concurrent users within 5 minutes". If I used a span of 45 minutes, then it would be measuring "concurrent users within 45 minutes", which would be 9 times greater.
For example, if I know that over a specific hour, there were roughly 1000 concurrent users for each 5-minute bucket, then the span of 45 minutes could be as high as 9000 users.
I hypothesized that there's a way to use "stats" to bucket by time, but I couldn't get this to work with "timechart". Can you help me?