I have summary search creating summarised data (number of accesses in an access log) once per minute (we are specifying span=1m in the sitimechart command).
My users will want to be able to view a timechart for this data covering data periods between last 60 minutes and last 30 days, or even longer.
It would be nice to be able to provide a chart that is as granular as possible - but no more granular than 1 minute, or else you get the spikes/valleys in the time chart. For example, specifying bins=300 is great for all time ranges above "last 60 minutes", you get good granularity in the chart. If the user selects "last 60 mins" from the time range, timechart decides to use a 30 second span, so every second point has no data and the chart "breaks". Using a smaller "bins" value like 150 fixes the "last 60 mins" time period, but means that longer time period, such as "last 7 days" reverts to a 1 point per day, which is pretty useless.
Being able to set the minimum granularity (ie. to the equivalent span of the summary search) would be an excellent feature when it comes to summary dashboards.
PS. The documentation's claim that bins=300 is the default option for timechart appears to be wrong. You get much fewer bins by default, and if you specify bins=300 the span/chart changes. Test 4.1.5 and 4.3. It looks like someone spotted this a long time ago at Timechart Using Too Few Bins on Splunk Answers
asked 20 Feb '12, 06:49
Timechart has an option that does exactly this, and it's called "minspan", and it was created precisely for summarized data:
This will have bins that are at least 10m, but perhaps wider, depending on the timerange of the search. This option is compatible with bins, but not span, which is explicit.
answered 21 Feb '12, 08:34
Stephen Sorkin ♦
Did you try:
|timechart span=1d ....
The span=1day argument buckets your aggregated variable into daily result set.
answered 21 Feb '12, 07:25