Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I do a timewrap and use partial=false (part of timechartt command) when setting latest time to now =+Xdays@d

HattrickNZ
Motivator
‎09-04-2019 09:54 PM

my search looks like this ... | fields _time fieldname |
eval wday = strftime(_time, "%a") | where wday = "Thu" | fields - wday | timewrap d series=exact |

1/
my serach produces this earliest =-15d@w1 latest =+8d@w1
but there is 3 values in each 5min slot, but they do not come in at the same time in that 5min slot.
That is why I use the partial=false, to not show this data/time point until it has all the 3 values
But partial=false does not work in this instance. it does in the below exampl
timewrap-partialfalse-latesttimefuture

2/
my serach produces this earliest =-15d@w1 latest =now
note the same graph as above except for the latest change. but the partial=false works here and does not show this data/time point until it has all the 3 values.
timewrap-partialfalse-latesttimenow

Anyway I can get timechart, partial=false to work in my example 1 above?
Or do you need more information?
tks

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...