A pet peeve of mine in Splunk is its tendency to summarize data too much when putting it in a Timechart. It makes for smoother flowing (and I suppose more executive-friendly) charts. For example, with one of my data sources, I have data points every ten minutes (result of a script). If I graph that over the course of the last 24 hours (here: et=-24@h lt=@h), it could display 144 buckets. In reality, though, it summarizes to every 30 minutes, and drops it down to 48 buckets.
Interestingly, this is contrary to the docs, which state "If a bucketing option is not supplied,�timechart
defaults to�bins=300
." (link)
Naturally, the solution would normally be to choose a higher number of buckets. Picking, say, 145 buckets. The challenge for me is that this is on a dashboard with a TimeRangePicker. If the users zooms into look at the last 4 hours, those 145 buckets will shrink only to 48 -- one for every 5 minutes, converting my otherwise attractive area graph into a spike graph. If I only have data every 10 minutes, but the graph is doing every 5 minutes, ugliness ensues. Now, you could address this with a | where MyVal > 0, but that would prevent you from detecting a scenario where, say, data was actually missing.
Another solution would be to specify span=10m instead of the number of bins, which will work well, until you get to looking at the data over the course of 7 days and you get 1008 datapoints. Let alone looking at two years worth of data.
Basically, I want full control over the binning, so I can set exactly the levels of granularity provided by the system.
The Other ProblemHow do can I switch indexes from raw data, to hourly summary data, to daily summary data, without my users being any the wiser? (What's that?)
The Solution (High Level) With the great help of Sideview Utils and its founder Nick Mealy, I was able to set up dynamic bins such that regardless of the time window provided, I got the best level of detail for my needs. The Solution (In Detail) Sideview Utils and Magic Javascript to the rescue