- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why will timechart not give me hourly updates?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why will timechart not give me hourly updates?
I have the following query that shows me that date/time is getting parsed correctly and is now displaying and a regular Splunk time:
client
| table date, hour, _time, epochtime, correct_timestamp, rate
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
When I try to use the following query to create a timechart with an hourly average of the rate, I get no visualizations. I can easily create a timechart of rate that happens by day. Why can I not get this down to the hour?
client
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
|timechart avg(rate) span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jamesandy51,
Try using the epoch time in timechart before you convert it to a string using strftime.
i.e.
client
| eval correct_timestamp = date + " " + hour + ":00:00"
| eval _time=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| timechart avg(rate) span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This still does not work. It looks like after I run the |timechart command, it reverts _time to the original value before the eval.
Any other ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search is slightly incorrect - you're assigning an actual integer to epochtime using strptime, and then using strftime to format/assign it to _time. The field _time should have the epoch value, not the formatted value. This is causing timechart to be confused.
You're on the right track, and Renjith's answer is a correct one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it, I have it working now. Thank you both for the help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jamesandy51, if it worked for you, please accept as answer. Thanks
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
