Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display last 8 hours from now () ..?

harishalipaka
Motivator
‎09-14-2018 01:06 AM

Hi Splunkers,

i want to display the last 8 hours of data with 1 hour different without any index or kv table .like makeresults or gentimes
Eg:- suppose now time is "2018-09-14 13:31:42" `

|makeresults |eval current=now() | timechart span=1h count as duration.

i want to display like below

time
13:30
12:30
11:30
10:30
09:30
08:30
07:30
06:30

ThanQ in advance 😞

Thanks
Harish
Tags (1)
0 Karma
Reply

niketn
Legend
‎09-15-2018 01:51 AM

@harishalipaka, try the following run anywhere example based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=1h count as Error 
| append
    [| makeresults 
    | addinfo 
    | eval Time=info_max_time.",".info_min_time 
    | fields Time 
    | makemv Time delim="," 
    | mvexpand Time 
    | rename Time as _time 
    | timechart span=1h count(somefieldthatdoesnotexist) as Error] 
| dedup _time

The sub-query inside append creates dummy rows for each hour provided the Time Range selected for query is Last 8 hours i.e. earliest=-8h and latest=now. Final dedup returns non-zero counts returned by main search if they are present or else displays the 0 count from second search for last 8 hours.

You can test the second condition by changing base search from log_level=ERROR to log_level=ERROR1 which does not exist. Instead of showing No results Found it will show 0 count for last 8 hours.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

somesoni2
Revered Legend
‎09-14-2018 07:02 AM

Try like this

| gentimes start=-1 | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count

OR 

| makeresults | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count
Reply

renjith_nair
Legend
‎09-14-2018 03:56 AM

@harishalipaka,

Does it work for you?

| makeresults count=8|eval diff=1|accum diff as diff|eval diff=(diff-1)*3600
|eval _time=strftime(_time-diff,"%H:%M")|fields - diff
Happy Splunking!
0 Karma
Reply

niketn
Legend
‎09-14-2018 02:11 AM

@harishalipaka do u wnt to use this in search or dashboard?
Also what is the logic for picking 30 min instead of 31 if the current time is 31 minute?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...