I have the following data in my index
_time PUID TotalMinutes TotalDisconnectedMinutes
2016-04-17T00:04:21.000+0000 1003BFFD885D8FB1 853 36
2016-04-18T01:03:23.000+0000 1003BFFD885D8FB1 339 0
2016-04-19T02:04:26.000+0000 1003BFFD885D8FB1 298 0
2016-04-19T04:41:25.000+0000 1003BFFD885D8FB1 14 0
2016-04-20T00:17:48.000+0000 1003BFFD885D8FB1 188 0
2016-04-21T04:09:02.000+0000 1003BFFD885D8FB1 1013 6
2016-04-22T02:37:20.000+0000 1003BFFD885D8FB1 257 2
However, when use the timechart command, the result is not what I expect it to be.
The search I ran:
index=tenanthealthmonitor (host=mapi_outlookAvailabilityPerPuid OR host=rpc_outlookAvailabilitPerPuid) tenant_guid=482198bb-ae7b-4b25-8b7a-6d7f32faa083 PUID=100300008479DB02 | timechart span=1d sum(TotalMinutes) as Total_Minutes, sum(TotalDisconnectedMinutes) as TotalDisconnected_Minutes usenull=f
The result is:
_time Total_Minutes TotalDisconnected_Minutes
2016-04-17T00:00:00.000+0000 989 34
2016-04-18T00:00:00.000+0000 1855 25
2016-04-19T00:00:00.000+0000 2232 72
2016-04-20T00:00:00.000+0000 1908 94
2016-04-21T00:00:00.000+0000 2014 72
2016-04-22T00:00:00.000+0000 643 17
How does timechart work?
You're querying a different dataset than you list here (PUID=1003BFFD885D8FB1 vs PUID=100300008479DB02) , so the timechart output could actually be correct.
Try with stats command
this will work better
you can put the day and month in the same field, like
eval current_date= date_month +"/"+ date_mday
In addition to what others have stated, specifying span=1d translates to a timerange of "midnight to midnight". I see the timechart is correct based on this.
You're querying a different dataset than you list here (PUID=1003BFFD885D8FB1 vs PUID=100300008479DB02) , so the timechart output could actually be correct.
You told it to use spans of 1d so it first calls bucket _time span=1d
which rounds all _time
values for date:hour
to 00:00
, then it does the stats
stuff. How else would you expect it to work?
If you do not think the sums are correct, what is probably happening is that what is considered today
(in o ther words, what UTC/GMT offset value do you consider midnight?) is user-specific and determined by YOUR Timezone
value in YOUR user settings on that Search Head. So if you have a different value than another user, you will probably get different results.
Thank you knielsen and woodcock. My bad.