I have a feeling there is a simple solution to this, I am just not seeing it. Possibly appending null data at the start and end of the time range.
GOAL: I want to create a dashboard showing "Yesterday", and 2 rows. First row contains a chart of multiple usage metrics (CPU, swap, lots of lines), right under that is a row with a bar chart of "events". Both charts should display the exact same time span. If the user picks "Yesterday", both graphs should show Midnight to Midnight even if there are only a few "events" in the second chart.
I do not want to overlay two chart types. I have other Advanced XML charts with overlays, but this set of data is too messy, and the charts need to be easy to read. Advanced XML okay if I can use that to force the chart x-axis range.
Example:
.. | search alert_host="$hostname$" |stats count(alert_host) by _time
returns
_time count(alert_host)
1 7/25/13 1:15:10.000 AM 1
2 7/25/13 3:05:05.000 AM 1
3 7/25/13 3:20:05.000 AM 1
4 7/25/13 4:00:05.000 AM 1
5 7/25/13 4:15:05.000 AM 1
6 7/25/13 4:35:05.000 AM 1
7 7/25/13 4:45:05.000 AM 2
8 7/25/13 5:10:05.000 AM 1
9 7/25/13 7:00:05.000 AM 1
10 7/25/13 8:20:05.000 AM 1
I have tried the chart two ways, both give the same result, only shows 1 am to 8 am not the full 24 hours.
.. | search alert_host="$hostname$" |timechart count
or
.. | search alert_host="$hostname$" | timechart fixedrange=true count
We are using Splunk 5.0.1
Thanks in advance --AFL