Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart day offset

jeff
Contributor
‎05-09-2013 06:42 AM

I am trying to run a timechart against a summary index (the summary is populated once an hour) and split into 24 hour segments:

index=summary search_name=my_summary earliest=-30d@h latest=@h
| timechart span=24h count by target

If I set span=1d the buckets are split at midnight. I really want them to be split into 24 hour buckets that align with the search when run though... whether I set span=24h or span=1440m or span=86400s though, the segment is split at 8pm each day (regardless of when the search is run), resulting in 31 bins (29 with 24 events per target, and 2 with whatever adds up to 24 (11+13 for instance) at the beginning and end of the span.

I've also tried bins=30 by itself (2 bins split at month markers) and span=24h bins=30 (bins ignored).

Splunk 4.3

Any thoughts or sanity checks welcome and appreciated.

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-09-2013 08:03 AM

You may be able to do this mathematically by decomposing timechart and manipulating _time somewhere in the middle.

The timechart command is very close to this sequence of individual commands:

... | bucket span=XX _time | chart count over _time by target

It is the bucket command (or its equivalent within timechart) that is "rounding down" to the nearest value of span. What you may be able to do is something like this:

... | bucket span=1h _time 
| addinfo
| <STUFF>
| timechart span=1d count by target

The "STUFF" is the tricky part. You'll need to do some eval magic to add-or-subtract from _time to shift events forward or backward in time. The addinfo command will introduce a couple of new fields to assist with this, specifically info_search_time which will be a time_t type value (seconds since 1970) of when the search was started.

So, the "STUFF" might start out something like:

| eval hour_of_search=strftime("%H",info_search_time)
| eval hour_of_time=strftime("%H",_time)
| eval hourshift=if(hour_of_time > hour_of_search,(24-hour_of_search),0)
| eval _time=_time + hourshift*3600

Note I have no idea if the algebra there is right or not. It's just to demonstrate the general idea that _time is mutable, and if you can mathematically work out how to get what you want you can fuzz events forward or backward in time as needed to put them in the "same day" as you define your day.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...