Refine your search:

How do I change the default granularity on a chart?

4
3

How do I change the default granularity on a chart? It appears I'm hitting a limit somewhere and I'm not getting as many results graphed as I would like. Minutes get bubbled to hours and hours to days etc. I would like to force the chart to stay in a "minutes" granularity longer.

asked 03 Mar '10, 19:20

dskillman's gravatar image

dskillman ♦
487110
accept rate: 29%

edited 04 May '11, 17:20

jlaw's gravatar image

jlaw ♦
20113
2 Answers:
oldestnewestmost voted
7

The bins comment is totally accurate, in that you can use this to raise the maximum number of bins, and thus raise the granularity: 

| timechart bins=1500 count

but i think as you've discovered, there's another limit even after you've fixed that, of 250 rows, and that the flash only seems to graph from the first 250 rows even when there are more.

What you're hitting is a 250 row limit on the FlashChart module in the UI itself.

If you're authoring in the advanced XML (which you probably are not), the the FlashChart module takes a param called maxResultCount, which is optional and defaults to 250.

If on the other hand you're authoring in the simplified XML, you can effect the same thing with a charting key: 

<option name="charting.data.count">1000</option>

add one of those to your <chart> like so

 <chart>
    <searchString>foo | timechart bins=1000 count by sourcetype</searchString>
    <earliestTime>-6h</earliestTime>
    <latestTime>-0s</latestTime>
    <option name="charting.chart">line</option>
    <option name="charting.data.count">1000</option>
  </chart>

And to show the code in the land of the Advanced XML, you would add this param: 

<param name="maxResultCount">1000</param>

to your FlashChart module. Hopefully that will get you going.

link

answered 04 Mar '10, 00:26

nick's gravatar image

nick ♦
14.2k1318
accept rate: 46%

edited 10 Sep '10, 17:21

1

You can use the bins= parameter on the timechart command. For example:

| timechart bins=1500 count

will attempt to use up to 300 time bins for whatever time range you specify. The time bins will snap to a convenient number (e.g., 15 minutes, 5 minutes, 30 seconds, 30 minutes, etc., but not something like 29 minutes). You could also set a fixed span with the span= option:

| timechart span=1m count

But this will cause an error if your time range covers more than 50,000 seconds (which is over 1 month).

Also note that the UI will only return up to 10,000 results, and it is excessive to graph more than a few hundred bins.

link

answered 03 Mar '10, 23:23

gkanapathy's gravatar image

gkanapathy ♦
26.4k1622
accept rate: 42%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×194
×126
×96
×71

Asked: 03 Mar '10, 19:20

Seen: 1,690 times

Last updated: 04 May '11, 17:20

Related questions

Change default web UI locale?

How can i change the span in timechart when the timeRangePicker is change?

Charting / Graphing Multiple data sources one chart

charting results of 3 different searches to be in 1 chart

Using Custom UI Navigation Besides Default.xml??

Change Chart Type in a Saved Search

Timechart and Chart display buggy column "count" when using "limit=0"

Time scale format change in timechart

Copyright © 2005-2012 Splunk, Inc. All rights reserved.