Solved: How do I get a search with "timechart span=1d" to ...

Vignesh5r · ‎08-15-2016

I have a search like below.

If i run this search, let's say now, it fetches transaction (as per the display ) not from the TOP of the hour, but from the time I have run the search.

Let's say I run this for the last 7 days.
It takes only from 8/8 15:00 hrs till now and not 8/8 00:00 hrs until now.

I tried 1d and as well as 24 hours, but same thing. How do we have the result fetched from the top of the hour?

index!=_internal "test" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

sundareshr · ‎08-15-2016

Try this

index!=_internal "test" earliest="-7@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

View solution in original post

sundareshr · ‎08-15-2016

Try this

index!=_internal "test" earliest="-7@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

Masa · ‎08-15-2016

sundareshr typo ? earliest="-7d@d"

https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Specifytimemodifiersinyoursearch

Vignesh5r · ‎08-15-2016

Thanks Masa!!

Vignesh5r · ‎08-15-2016

Thanks Sundar. This works. With the correction provided, i am indicatig the final query which worked and took transactions from 00:00 hrs 7 days ago till now.

index!=_internal "test" earliest="-7@d@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

Thanks once again Sundar

How do I get a search with "timechart span=1d" to return and display events from the top of the hour?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!