Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart - Trying to bucket by 10 minutes - Displaying every minute

TheJagoff
Communicator
‎07-19-2017 06:06 AM

Hi,

I am doing the following:
index=wineventlog user="*.ad" TaskCategory="Security Group Management" |bucket _time span=10m| timechart count AS EventCount

It is showing a report line for every minute - I would like for it to have a report line for every 10 minutes and I thought that the |bucket _time span=10m would do that.

How can I get this to display results for every 10 minutes?

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-19-2017 06:09 AM

You need to put the span argument directly in the timechart command. Otherwise, it recalculates a span based on your search period.

New search to try:

index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count AS EventCount

View solution in original post

Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎07-19-2017 06:09 AM

You need to put the span argument directly in the timechart command. Otherwise, it recalculates a span based on your search period.

New search to try:

index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count AS EventCount

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...