Splunk Search

Is there any way to set a higher default "bins=xxx" for timechart setting?

Richfez
SplunkTrust
SplunkTrust

I know I can override the default bins=100 in any particular search. Is there any way to set something slightly higher as the default?

Use case: The majority of our timechart based searches bucket reasonably well, but both Weekly and Business Weekly reports should not trigger a bump to the next bin size (daily) and should remain hourly. Unfortunately, I don't wish to have to add "bins=170" or bins="200" to all searches and would like a way to set it as the default, which sounds like a very reasonable knob that ought to be available. I can't find it though.

I can't just set span=1h because the searches may vary between "show me today" to "show me the previous year." I need to keep the dynamic span aspect, just have a few more buckets available before it kicks me into larger buckets.

1 Solution

MarioM
Motivator

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100

View solution in original post

MarioM
Motivator

have you looked at this parameter in limits.conf:

[discretize]
* This stanza set attributes for bin/bucket/discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100

Richfez
SplunkTrust
SplunkTrust

Works perfectly. After double-checking and all that, I added

[discretize]
default_time_bins = 200

to /opt/splunk/etc/system/local/limits.conf, restarted splunk and now weekly searches default to hourly bins. Perfect.

Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...