I am trying to run a timechart against a summary index (the summary is populated once an hour) and split into 24 hour segments:
index=summary search_name=my_summary earliest=-30d@h latest=@h
| timechart span=24h count by target
If I set span=1d the buckets are split at midnight. I really want them to be split into 24 hour buckets that align with the search when run though... whether I set span=24h or span=1440m or span=86400s though, the segment is split at 8pm each day (regardless of when the search is run), resulting in 31 bins (29 with 24 events per target, and 2 with whatever adds up to 24 (11+13 for instance) at the beginning and end of the span.
I've also tried bins=30 by itself (2 bins split at month markers) and span=24h bins=30 (bins ignored).
Splunk 4.3
Any thoughts or sanity checks welcome and appreciated.
You may be able to do this mathematically by decomposing timechart
and manipulating _time
somewhere in the middle.
The timechart
command is very close to this sequence of individual commands:
... | bucket span=XX _time | chart count over _time by target
It is the bucket
command (or its equivalent within timechart
) that is "rounding down" to the nearest value of span
. What you may be able to do is something like this:
... | bucket span=1h _time
| addinfo
| <STUFF>
| timechart span=1d count by target
The "STUFF" is the tricky part. You'll need to do some eval
magic to add-or-subtract from _time
to shift events forward or backward in time. The addinfo
command will introduce a couple of new fields to assist with this, specifically info_search_time
which will be a time_t
type value (seconds since 1970) of when the search was started.
So, the "STUFF" might start out something like:
| eval hour_of_search=strftime("%H",info_search_time)
| eval hour_of_time=strftime("%H",_time)
| eval hourshift=if(hour_of_time > hour_of_search,(24-hour_of_search),0)
| eval _time=_time + hourshift*3600
Note I have no idea if the algebra there is right or not. It's just to demonstrate the general idea that _time
is mutable, and if you can mathematically work out how to get what you want you can fuzz events forward or backward in time as needed to put them in the "same day" as you define your day.