Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using TimeWrap for specific time window.

rajatsinghbagga
Explorer
‎10-08-2019 06:49 PM

Hello Everyone,

I am trying to count the events for the window 8PM(Day1) to 6AM(Day2) for last 3 days so that I can compare the count of the events for last 2 time windows.

Assuming I am running the query today (i.e. 9/10/2019) then:-

Window 2:- 8PM(7/10/2019 i.e. Day3) to 6AM(8/10/2019 i.e. Day2)
Window 1:- 8PM(8/10/2019 i.e. Day2) to 6AM(9/10/2019 i.e. Day1)

Is there any way to count events for these specific windows and then do a compare using TIMECHART/TIMEWRAP

I tried to use the below query after working out the earliest and latest times using the time picker advanced tab but that is not giving me the results for the 2 time windows I am trying to compare. 

Index=syslog  JOBNAME="XX*"   earliest=-3d@h+32h latest=@d+06h 
| timechart useother=f count as count
| timewrap d

Or if there is any other better way of doing/representing it then please let me know.

Thanks,
Rajat

0 Karma
Reply

dural_yyz
Communicator
‎07-15-2020 12:42 PM

| tstats count WHERE index=_internal (earliest=-5d@d+20h latest=+1d@d+6h) GROUPBY _time span=15m
| eval hour=strftime(_time,"%H")
| search hour IN (20 21 22 23 00 01 02 03 04 05)
| timechart span=15m sum(count) cont=f
| timewrap 1d align=end

Since tstats is faster I displayed that but not all search strings will fit with tstats so a basic search would work the same if you continue to specify the earliest and latest time stamps.  I have seen documentation that indicates the use of multiple earliest and latest combinations but I wasn't able to get that to function.  To filter I extracted the hour and placed that in a search string.

With the timechart command you have to use the option cont=f in order to filter out null value windows on your visualization, without this it will show the full 24 window.

With the timewrap command you do not need the align option as the default value will set to end of the search string, I leave it there in order for others to know the timewrap command is impacted by how you align the wrap based on search time window end.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...