Splunk Search

Display last 8 hours from now () ..?

harishalipaka
Motivator

Hi Splunkers,

i want to display the last 8 hours of data with 1 hour different without any index or kv table .like makeresults or gentimes
Eg:- suppose now time is "2018-09-14 13:31:42" `

|makeresults |eval current=now() | timechart span=1h count as duration.

i want to display like below

time
13:30
12:30
11:30
10:30
09:30
08:30
07:30
06:30

ThanQ in advance 😞

Thanks
Harish
Tags (1)
0 Karma

niketn
Legend

@harishalipaka, try the following run anywhere example based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=1h count as Error 
| append
    [| makeresults 
    | addinfo 
    | eval Time=info_max_time.",".info_min_time 
    | fields Time 
    | makemv Time delim="," 
    | mvexpand Time 
    | rename Time as _time 
    | timechart span=1h count(somefieldthatdoesnotexist) as Error] 
| dedup _time

The sub-query inside append creates dummy rows for each hour provided the Time Range selected for query is Last 8 hours i.e. earliest=-8h and latest=now. Final dedup returns non-zero counts returned by main search if they are present or else displays the 0 count from second search for last 8 hours.

You can test the second condition by changing base search from log_level=ERROR to log_level=ERROR1 which does not exist. Instead of showing No results Found it will show 0 count for last 8 hours.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

| gentimes start=-1 | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count

OR

| makeresults | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count

renjith_nair
SplunkTrust
SplunkTrust

@harishalipaka,

Does it work for you?

| makeresults count=8|eval diff=1|accum diff as diff|eval diff=(diff-1)*3600
|eval _time=strftime(_time-diff,"%H:%M")|fields - diff
Happy Splunking!
0 Karma

niketn
Legend

@harishalipaka do u wnt to use this in search or dashboard?
Also what is the logic for picking 30 min instead of 31 if the current time is 31 minute?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...