"shifting" search buckets

Jebnor · ‎06-05-2012

I'm trying to search through my logs and extract sum(x) for a time of 7am to 7am. If I search for exactly one 24h period, from 7am-7am (-1d@d+7h,@d+7h), I get the expected answer. However, if I set the timeframe to 48h, (-2d@d+7h,@d+7h), I get the wrong answer.

Example: (-1d@d+7h,@d+7h) custom time frame

index=foo other-stuff-here | chart sum(saveSize) as TotalSize(KB)

I get the expected result of 123456KB

This works for 48h sum: (-2d@d+7h,@d+7h) custom time frame

index=foo other-stuff-here | chart sum(saveSize) as TotalSize(KB)

However, I want a chart of 2 - 24h periods in the specified 48h. I tried a couple things which failed.

Gives me one sum for all 48h and doesn't 'split' by bins:

index=foo other-stuff-here | bucket _time bins=2 | chart sum(saveSize) as TotalSize(KB) by _time

Gives me 3 buckets, one for each 'day' the 48h spans.

index=foo other-stuff-here | bucket _time span=24h | chart sum(saveSize) as TotalSize(KB) by _time

Any thoughts?

Jebnor · ‎06-08-2012

I do believe I found the answer.



index=foo other-stuff-here | eval _time=(_time - 25200) | timechart sum(saveSize) as TotalSize(KB)

With my date set 7-7, this 'shifts' everything from midnight to 7am to the previous day by substracting 7h worth of seconds. There is an odd edge case on things at 7am; I don't know if splunk considers midnight yesterday or today, that is 2400h (yesterday) or 0000h (today).

Just need to be aware that is screws up interactive searches in the chart, so It should only be used for statistical purposes.

"shifting" search buckets

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!