Hi Splunkers,
i want to display the last 8 hours of data with 1 hour different without any index or kv table .like makeresults
or gentimes
Eg:- suppose now time is "2018-09-14 13:31:42" `
|makeresults |eval current=now() | timechart span=1h count as duration.
i want to display like below
time
13:30
12:30
11:30
10:30
09:30
08:30
07:30
06:30
ThanQ in advance 😞
@harishalipaka, try the following run anywhere example based on Splunk's _internal index
index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=1h count as Error
| append
[| makeresults
| addinfo
| eval Time=info_max_time.",".info_min_time
| fields Time
| makemv Time delim=","
| mvexpand Time
| rename Time as _time
| timechart span=1h count(somefieldthatdoesnotexist) as Error]
| dedup _time
The sub-query inside append
creates dummy rows for each hour provided the Time Range selected for query is Last 8 hours
i.e. earliest=-8h and latest=now
. Final dedup returns non-zero counts returned by main search if they are present or else displays the 0 count from second search for last 8 hours.
You can test the second condition by changing base search from log_level=ERROR
to log_level=ERROR1
which does not exist. Instead of showing No results Found
it will show 0 count for last 8 hours.
Please try out and confirm!
Try like this
| gentimes start=-1 | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count
OR
| makeresults | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count
@harishalipaka,
Does it work for you?
| makeresults count=8|eval diff=1|accum diff as diff|eval diff=(diff-1)*3600
|eval _time=strftime(_time-diff,"%H:%M")|fields - diff
@harishalipaka do u wnt to use this in search or dashboard?
Also what is the logic for picking 30 min instead of 31 if the current time is 31 minute?