Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

scatter chart is not working.

Anantha123
Communicator
‎09-05-2019 08:55 AM

Hi,

I am running a query to show in scatter chart with name-field, X-axis and Y-axis . This Query throws over 15000 results for past 24 hrs . Since the limit of scatter chart is 10000 , I gave limit=5000 to try . When I am running the query for 60 mins ,I get the scatter chart as expected . But when I run same query for 24 hrs ( the record may be high but I have the limit added in query ) , It is breaking the search by saying "script long running - stop script" . Please advice

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎09-06-2019 02:02 PM

Okay, here's the way to connect all the dots at one time more efficiently. This method is called the "Splunk Stew" method, and uses stats to join on the key instead of join.

index="123Prod" source="/var/ABC/CDE/trace.log" 
   (StartAuthenticationSession) OR
   (responseType=AuthenticationSucceeded sessionCompleted)
| rex field=_raw "traceId=\"(?[^:]+)"
| eval OutTime=case(responseType="AuthenticationSucceeded",_time)
| eval InTime=case(isnull(OutTime),_time)
| stats min(InTime) as InTime max(OutTime) as OutTime by TraceID

Then, given those results, you can cull them to only 5K with 

| sort 5000 InTime

See how that works for you.

The "Splunk Stew" method is more fully described here - https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html

0 Karma
Reply

DalJeanis
Legend
‎09-05-2019 10:42 AM

Sounds like your search needs to be tuned. If you post the code, we can suggest ways to make it run more effectively.

0 Karma
Reply

Anantha123
Communicator
‎09-06-2019 07:27 AM

index="123Prod" source="/var/ABC/CDE/trace.log" StartAuthenticationSession
| rex field=_raw "traceId=\"(?[^:]+)"
| rename _time as InTime
| stats min(InTime) as InTime by TraceID
| table InTime TraceID | sort InTime limit=5000
| join TraceID
[ search index="123Prod" source="/var/ABC/CDE/trace.log" responseType=AuthenticationSucceeded sessionCompleted
| rex field=_raw "traceId=\"(?[^:]+)"
| table _time, TraceID
| rename _time as OutTime
| table OutTime , TraceID]
| table TraceID InTime OutTime

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...