Solved: How can I force a timechart to snap to the end of ...

andimnf · ‎05-27-2019

I have a very simple search to count the amount of emails delivered by week and display this in a timechart over the last 3 months.

This all works well, however the chart snaps to the day of the week the logs began. I've tried messing around with the advanced time offsets in the time picker, but it still only ever seems to snap to the start of the week. I would like to display this as the week ending date, as the count is for the emails that were delivered during that week.

e.g.
I'd like the snap points to be Mondays at 00:00, however I'd like the figure of that week to be the count of emails that came in during the previous week.

How can I do this?

My search is pretty simple (and could likely be made much more efficient):

index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d

I'm running Splunk Enterprise 7.1.3

Thanks in advance.

koshyk · ‎05-27-2019

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

View solution in original post

koshyk · ‎05-27-2019

A simple trick is to add 7days time to your _time ?

 index=mail sourcetype=mail from=* | regex from!=".*\@mydomain\.com" | timechart count span=7d| eval _time=_time+(7*24*60*60)

The above will shift your chart by 7days ahead. But feel free to change it to 24hrs or something which fits you.

andrewtrobec · ‎09-23-2020

I arrived at this conclusion as well... is there still no way of doing this with the timechart command?

andimnf · ‎05-27-2019

Nice one! That's done it. Thanks.

How can I force a timechart to snap to the end of the week rather than beginning?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life