@viggor - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.
As @somesoni2 mentions about it being undocumented but here is my shot at it. Bear the long answer 🙂
I think a value (x,y)
in a time chart should be taken as a y
value inside the bucket [x, x+T)
where x
represents the bucket start time. Hence how to calculate x
(the starting bucket time of first bucket) is of importance as T
will always be decided by the span you chose in timechart command. Hence I discuss below.
Remember x
(if we take it as first bucket's start time so that first bucket becomes [x, x+T)
) has to be such that it covers the first event of your data (as per time chosen for search query) as well as such that it can cover all your data (till end time) in buckets of T
spans.
I took some samples as follows to test how will a timechart divide the buckets when as part of the query it is given search start time (earliest) as StartInTimePicker
, search end time (latest) as EndInTimePicker
and a span as spanInSec
while plotting the timechart . Based on multiple values that I chose here is how it divided and decided the startBucketTime
and after certain T
(spansInSec) the LastBucketTime
StartTimeInTimePicker EndTimeInTimePicker Span StartBucketTime LastBucketTime
2016-11-09 00:29:00 2016-11-09 01:20:00 30m 2016-11-09 00:00:00 2016-11-09 01:00:00
2016-11-09 00:29:00 2016-11-09 01:31:00 30m 2016-11-09 00:00:00 2016-11-09 01:30:00
2016-11-09 00:29:59 2016-11-09 00:59:59 30m 2016-11-09 00:00:00 2016-11-09 00:30:00
2016-11-09 00:29:00 2016-11-09 00:31:00 9s 2016-11-09 00:28:57 2016-11-09 00:30:54
2016-11-09 00:29:00 2016-11-09 00:31:04 9s 2016-11-09 00:28:57 2016-11-09 00:31:03
It is clear from above that most probably ONLY the earliest
, latest
and span
decides how buckets will be divided. Here is the formula below where you can replace the timePicker times (StartInTimePicker, EndInTimePicker) per times of your choice in timepicker and the timechart span of your query (spansInSec) to see if the results show up the way they do in your timechart buckets statistics table.
|makeresults
| eval StartInTimePicker="2016-11-09 00:29:00"
| eval EndInTimePicker="2016-11-09 00:31:04"
| eval spansInSec=9
| eval setStartEpoch=strptime(StartInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval setEndEpoch=strptime(EndInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval startBucketTime=strftime((setStartEpoch - (setStartEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| eval endBucketTime=strftime((setEndEpoch - (setEndEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| table StartInTimePicker,EndInTimePicker, spansInSec, startBucketTime, endBucketTime
Span is taken in seconds for understanding, however if you take span in minutes in timechart then fill the spanInSec
value in above query with equivalent sec values and try yourself.
Once we have startBucketTime
and endBucketTime
it should be a simple task to represent [x, x+T), [x+T, x+T+T), [x+T+T, x+T+T+T) ... [x+(n-1)T, x+nT)
buckets as a loop of interval generation as follows:
for( int ii=startBucketTime; ii<=endBucketTime; ii=ii+spanInSec)
print "[ ii, ii+spanInSec)"
This is how I think bucket times are being generated to decide [x, x+T)
I don't believe it's described anywhere in the documentation, but here is my observation.
The time interval depends upon the span and the timerange for the search. Consider the example timechart span=10m count
with time range of last 4 hrs
. What Splunk does is start creating time bucket for every 10 mins from time 0 ( 1970/01/01 00:00
) to latest of the time range ( now
), the time series will be 1970/01/01 00:00, 1970/01/01 10:00, 1970/01/01 20:00.......2016/11/09 15:30, 2016/11/09 15:40
. Then it selects buckets based on time range, earliest and latest, and selects all buckets which includes the time range, including partial included buckets. So considering current time as 2016/11/09 15:48
, and time range is from 2016/11/09 11:48 to 2016/11/09 15:48
, the buckets included in time range will be 2016/11/09 11:40, 2016/11/09 11:50, 2016/11/09 12:00.... 2016/11/09 15:30,2016/11/09 15:40
).
Please add more details to your problem.