- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I force a timechart to snap to the end of ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a very simple search to count the amount of emails delivered by week and display this in a timechart over the last 3 months.
This all works well, however the chart snaps to the day of the week the logs began. I've tried messing around with the advanced time offsets in the time picker, but it still only ever seems to snap to the start of the week. I would like to display this as the week ending date, as the count is for the emails that were delivered during that week.
e.g.
I'd like the snap points to be Mondays at 00:00, however I'd like the figure of that week to be the count of emails that came in during the previous week.
How can I do this?
My search is pretty simple (and could likely be made much more efficient):
index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d
I'm running Splunk Enterprise 7.1.3
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple trick is to add 7days time to your _time ?
index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)
The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A simple trick is to add 7days time to your _time ?
index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)
The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I arrived at this conclusion as well... is there still no way of doing this with the timechart command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice one! That's done it. Thanks.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
