I have a scenario here.
I have data in my local Splunk for time range from 6-Nov-2015 11:45 UTC
to 10-Nov-2015 13:45 UTC
. I need to get the data count in buckets based on time span of 15 minutes. If I try to search data from 6-Nov-2015 10:30 UTC
to 10-Nov-2015 15:30 UTC
using timechart, I am getting empty buckets in between the data, but losing the empty buckets at the start/end. And I am getting buckets from 6-Nov-2015 11:45 UTC
to 10-Nov-2015 13:45 UTC
. Can anyone suggest how to get the empty buckets at the start/end?
My Splunk search is:
(index=my_index msecBefore>=1446805800000 msecBefore<=1447169400000 label="testLabel") | timechart cont=true span=15m count(eval( msecElapsed<72000000)) as Satisfied
Any help would be appreciated.
Regards,
Suresh
Add in dummy records for start and end that won't affect the result. i.e, that have msecElapsed greater than your satisfied number. Do this immediately before your timechart command.
| append
[|makeresults | eval msecElapsed=72000001
| eval MyFlag=mvappend("DummyStart","DummyEnd")
| mvexpand MyFlag ]
| addinfo
| eval _time=case(isnull(MyFlag),_time,MyFlag=="DummyStart",info_min_time,MyFlag=="DummyEnd",info_max_time)
The addinfo command has to be outside the brackets, so it pulls its info_min_time and info_max_time from the outside search time range.
Thank you DalJeanis! While this is very much work, for such a simple outcome, it does work!
Agreed. It would seem that you should be able to use a combination of the bin start/end options and the continuous flag, but (as I understand it) there are some finnicky things about the order of the bin options and how much option information splunk thinks is enough... and more than that is not allowed.
Hello Suresh,
Did you find a solution for this? I am having the same problem.
Thanks
Sean
Thanks lquinn, but that didn't work.
This is my search
sn_edge_encryption (host="XXXXXXX*") OR (host="XXXXX*") proxy NOT EdgeEncryptionProcessor | timechart span=30s count fixedrange=true
My search window is
34 events (2/8/17 10:20:00.000 AM to 2/8/17 11:36:00.000
But when I go to the visualization tab the chart that comes up starts at my first search result which is 1031. I want the chart on the visualization tab to be the same time range as my search window above.
You don't need to cont=true
in the timechart command. I think that fixedrange=true
is the default, but you might add it to be sure...