I have been building a Splunk �App to monitor customer usage of a product.
In particularly, we're replacing some very ugly and generally inaccurate Zenoss graphs with Splunk precision. Zenoss, for those who haven't interacted with it, is an RRD based monitoring tool. That means it has accuracy issues and has some interesting quirks, but is exceedingly good at transparently summarizing data. If you're looking at a chart in Zenoss (or more accurately, 30+ charts on one giant dashboard), you can zoom out with a click of a button, go back in time, then go back forward without ever having to switch to a different view, ever having to wait six minutes for a query to run, or generally be aware of the mechanics behind the scene. I wanted that for Splunk.
The Other Problem How can I make sure that Splunk will give me the most granular, accurate bins possible in my timecharts? (What's that?) The Solution (High Level)With the help of Sideview Utils, and the extreme time generosity of Sideview Apps founder Nick Mealy, I was able to do just that. I don't yet have the zoom buttons (by the way, Nick...), but what I do have is this. When a user selects an entire month of data, it automatically selects the hourly summary data, and knows that it should summarize it to 4 hour increments. If the user selects six months of data, it automatically selects the daily summary data, and knows that it should just use 1 day increments. When a user selects last four hours, or last 24 hours, it automatically selects the raw data and uses 10 minute increments (which is how often data gets into my system).
The Solution (In Detail) Sideview Utils and Magic Javascript to the rescue.