I have a dashboard that contains multiple timecharts. (Splunk Enterprise 6.4.)
All of the timecharts present performance metrics from the same events, in the same time range. For example: average CPU time, average response time, count (number of events).
Currently, each timechart has its own self-contained search string.
I want to "save search resources by creating a base search", as described in the [Splunk docs][1].
Due to the documented limitations of post-process searches, I think I ought to set a bin span in the base ("global") search, to limit the number of search results that the base search passes to the post-process search for each timechart, because I want this dashboard to work for any time range: from several years, to fractions of a second.
Hence this question: I want the base search to *dynamically* set a [bin span][2] that is proportional to the time range set by the time range picker. I don't yet have a clear notion of what spans to set for different time ranges, but for a time range of a few years, it might be something like 7 days. The bigger the time range, the bigger the span.
What's the best way to do this?
I'm prepared to investigate an answer myself, but it occurs to me that this might be a common requirement, and I'd prefer not to reinvent the wheel (especially not one that I later discover is inferior to an existing wheel :-) ).
A closely related follow-on issue, that probably deserves its own, separate question: when I zoom a timechart, I want (as expressed by others in existing questions) the rest of the dashboard (including the time range picker and other timecharts) to update to match that zoomed time range. But I want something more (which might happen anyway, depending on the implementation of the "dynamic bin based on time range" solution): I want the base search to adjust its bin span to match the zoomed time range.
If all this sounds too complicated, here's my requirement in a nutshell: when I zoom, I want to see more detail.
[1]: http://docs.splunk.com/Documentation/Splunk/6.4.0/Viz/Savedsearches#Post-process_searches
[2]: http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Bin#Span_options
↧