For example in the below search, when I try to perform timechart for span=2hrs, why it always takes from 23:00 of the previous day?
Example:
index="index1"
| timechart span=2hr count as "Total"
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0
In my requirement, I need the span should be from 00:00 and not 23:00. Could you please help?
Thanks!!
What timezone is Splunk running in?
Are you doign absolute timing (eg -2d@
), or relative (eg -48h
)?
Sidebar - you want | timechart span=2h count as Total
I have the same problem, and this started with the switch from summertime for me.
If I search for logs from 00:00 to 24:00 (earliest=-2d@d latest=-1d@d), I correctly get the logs in that timeframe.
When I want to split this time into 2 hour segments with span (either with |bucked span=2h _time or with |timechart span=2h count), the segments start at 23h. This means that my first and last segment only have data from one hour.
How come "span" uses a different time setting than earliest/latest?
My workaround (which needs to change every timechange) is the following:
| eval _time=_time+3600
| bucket span=2h _time
| eval _time=_time-3600
| stats count by _time
Not very elegant, but it works.
Hi,
It's running in CET timezone. And user is of GMT-03:00 - Brazil timezone.
I'm selecting for the time period for yesterday where in (09/23/2019 : 00:00:00:000 - 09/24/2019 : 00:00:00:000)
Yes i want to count events between span of 2hours. i.e from 0-2;2-4 etc
Thanks,
Vinay
Unix epoch time is always UTC - https://en.wikipedia.org/wiki/Unix_time
Sounds like you're running into timezone boundaries - if the server's running CET (1 hour ahead of UTC), then it is dividing correctly on the odd hours
Use fixed time intervals like index=blah earliest = -1d@d latest=@d
for yesterday or index=blah earliest = @d
for today instead of the preset last 24h
I tried but it doesn't work also with both earliest = -1d@d latest=@d / earliest =@d. But it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0
Try using span=2h@h
span does not work @h
it works but it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0
Just a thought . Is the timezone for the logs and the system are same ?