Solved: How to adjust the time in a timechart?

pavanae · ‎10-25-2016

I have a timechart which displays the results for the past 7 days. But now i don't want the Splunk to display the results for 24 hours of the each day in last 7 days. Instead of that, I just want to display the timechart from evening 7'o clock to morning 7'o clock for the last 7 days.

Is this scenario possible in Splunk? If yes, how can we do that?

gokadroid · ‎10-25-2016

Can you try this please:

your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H") 
| where myHour>=19  OR myHour<7
| complete your query to draw the timechart

OR adding per suggestion below:

your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart

View solution in original post

gokadroid · ‎10-25-2016

Can you try this please:

your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H") 
| where myHour>=19  OR myHour<7
| complete your query to draw the timechart

OR adding per suggestion below:

your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart

lquinn · ‎10-25-2016

You could also just use the date_hour field in splunk, that is already extracted, instead of creating the myHour field.

gokadroid · ‎10-25-2016

thanks @Iquinn Let me update that in the query as per suggestions. Awesome stuff.

ppablo · ‎10-26-2016

It might be good to read up on some cautionary advice by search gurus @lguinn and @sideview on this post:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134

gokadroid · ‎10-27-2016

ok, so sounds like extracting the %H using strftime is the way to go as suggested in the read and as was in the initial answer. Thanks @ppablo_splunk

How to adjust the time in a timechart?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!