Splunk Search

Why will timechart not give me hourly updates?

jamesandy51
Explorer

I have the following query that shows me that date/time is getting parsed correctly and is now displaying and a regular Splunk time:

client

| table date, hour, _time, epochtime, correct_timestamp, rate
|  eval correct_timestamp = date + " " + hour + ":00:00"  | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
 | eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")

When I try to use the following query to create a timechart with an hourly average of the rate, I get no visualizations. I can easily create a timechart of rate that happens by day. Why can I not get this down to the hour?

client

|  eval correct_timestamp = date + " " + hour + ":00:00"  | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
 | eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
|timechart avg(rate) span=1h
Tags (3)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jamesandy51,

Try using the epoch time in timechart before you convert it to a string using strftime.

i.e.

client 
| eval correct_timestamp = date + " " + hour + ":00:00" 
| eval _time=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| timechart avg(rate) span=1h
Happy Splunking!

jamesandy51
Explorer

This still does not work. It looks like after I run the |timechart command, it reverts _time to the original value before the eval.

Any other ideas?

0 Karma

sir_lamneth
Explorer

Your search is slightly incorrect - you're assigning an actual integer to epochtime using strptime, and then using strftime to format/assign it to _time. The field _time should have the epoch value, not the formatted value. This is causing timechart to be confused.

You're on the right track, and Renjith's answer is a correct one.

0 Karma

jamesandy51
Explorer

Got it, I have it working now. Thank you both for the help!!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jamesandy51, if it worked for you, please accept as answer. Thanks

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...