Splunk Search

timechart span=60m snaps to hour whereas I want it to snap to minute

nabeel652
Builder

I'm trying to get hourly averages and compare the last to the previous one.

...some search | timechart  span=60m avg(SampleValue)

However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...

Tags (1)
0 Karma
1 Solution

nabeel652
Builder

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

View solution in original post

0 Karma

nabeel652
Builder

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

0 Karma

rjthibod
Champion

I don't know of a built-in way of doing what you ask using commands like bucket or bin. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous and filldown to create a timechart with the data

 ... your search ... 
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average

cmerriman
Super Champion

what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h to your search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...