I have a feeling there is a simple solution to this, I am just not seeing it. Possibly appending null data at the start and end of the time range.
GOAL: I want to create a dashboard showing "Yesterday", and 2 rows. First row contains a chart of multiple usage metrics (CPU, swap, lots of lines), right under that is a row with a bar chart of "events". Both charts should display the exact same time span. If the user picks "Yesterday", both graphs should show Midnight to Midnight even if there are only a few "events" in the second chart.
I do not want to overlay two chart types. I have other Advanced XML charts with overlays, but this set of data is too messy, and the charts need to be easy to read. Advanced XML okay if I can use that to force the chart x-axis range.
Example (EDITED to show full search):
sourcetype="alert_log" | rex field=_raw "(?i)(?:[^ ]* ){6}(?P<alert_type>\S+)\s+\S+\s+(?P<alert_level>\S+)\s+on\s+(?P<alert_host>\S+)\s+\((?P<alert_subcategory>[^\)]+)\):{0,1}(?P<alert_message>.*)$" | search alert_host="$hostname$" |stats count(alert_host) by _time
returns
_time count(alert_host)
1 7/25/13 1:15:10.000 AM 1
2 7/25/13 3:05:05.000 AM 1
3 7/25/13 3:20:05.000 AM 1
4 7/25/13 4:00:05.000 AM 1
5 7/25/13 4:15:05.000 AM 1
6 7/25/13 4:35:05.000 AM 1
7 7/25/13 4:45:05.000 AM 2
8 7/25/13 5:10:05.000 AM 1
9 7/25/13 7:00:05.000 AM 1
10 7/25/13 8:20:05.000 AM 1
I have tried the chart two ways, both give the same result, only shows 1 am to 8 am not the full 24 hours.
.. | search alert_host="$hostname$" |timechart count
or
.. | search alert_host="$hostname$" | timechart fixedrange=true count
We are using Splunk 5.0.1
Edit - Additional Example
Here is the build-up of what I have. First "alert_log" rows look like:
"Sun Jul 28 23:55:04 2013 - appload [15712] OK on hostname508 (P_5555)"
or
"Sun Jul 28 15:50:04 2013 - load [30740] NOTICE on hostname508 (load): load (37.54) is above 10"
When this is run with "Yesterday" timespan for one host and all events, it shows events 7/28/13 12:00 AM through 7/28/13 11:30 PM as expected due to the heartbeat events. Add alert_type!=OK to remove the heartbeats.
sourcetype="alert_log" | rex field=_raw "(?i)(?:[^ ]* ){6}(?P<alert_type>\S+)\s+\S+\s+(?P<alert_level>\S+)\s+on\s+(?P<alert_host>\S+)\s+\((?P<alert_subcategory>[^\)]+)\):{0,1}(?P<alert_message>.*)$" | search alert_host="hostname508" alert_level!=OK |timechart count
Only 4 Events occured at 8:20 AM yesterday. The output timechart has only one column at 8:20 AM, table view has just one row.
Thanks in advance --AFL
... View more
