Splunk Search

timechart span=60m snaps to hour whereas I want it to snap to minute

nabeel652
Builder

I'm trying to get hourly averages and compare the last to the previous one.

...some search | timechart  span=60m avg(SampleValue)

However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...

Tags (1)
0 Karma
1 Solution

nabeel652
Builder

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

View solution in original post

0 Karma

nabeel652
Builder

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

0 Karma

rjthibod
Champion

I don't know of a built-in way of doing what you ask using commands like bucket or bin. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous and filldown to create a timechart with the data

 ... your search ... 
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average

cmerriman
Super Champion

what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h to your search.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...