Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart - span=30m show data in 15th and 45th min

askkawalkar
Path Finder
‎06-18-2019 12:02 AM

I am trying to create a timechart
base search ...
| timechart span=30m latest(COUNT) as COUNT by NAME

it is providing me events for field "_time" as : "12:00", "12:30", "01:00", "01:30" .. and so on..

I want field "_time" as : "12:15", "12:45", "01:15", "1:45" ... and so on...

Is there any solution to convert _time.

Thanks in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2019 05:21 AM

Hello @askkawalkar,

This query worked for me. Instead of timechart use below list of evals, stat and chart to achieve your requirement.

<your query>
| bin _time span=15m 
| stats latest(COUNT) as COUNT by _time, NAME
| eval _time=_time/100 
| eval _time=if(_time%2==0,_time-9,_time) 
| eval _time=_time*100 
| chart last(COUNT) as COUNT over _time by NAME

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-21-2019 06:03 AM

here is another way of achieving your goal with the aligntime attribute:
read here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Bin#Bin_options

run this search anywhere:

| gentimes start=-2 increment=1m
| eval _time = starttime 
| eval number = random()%200
| bin _time span=30m aligntime=@d+15m
| timechart max(number) as max_number

hope it helps

0 Karma
Reply
Solved! Jump to solution

askkawalkar
Path Finder
‎06-21-2019 07:42 AM

Hi @adonio ,

Thanks for your help in search anywhere.

Thanks,
Ankush

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-21-2019 12:14 AM

@askkawalkar - Did you get chance to check answer?

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2019 05:21 AM

Hello @askkawalkar,

This query worked for me. Instead of timechart use below list of evals, stat and chart to achieve your requirement.

<your query>
| bin _time span=15m 
| stats latest(COUNT) as COUNT by _time, NAME
| eval _time=_time/100 
| eval _time=if(_time%2==0,_time-9,_time) 
| eval _time=_time*100 
| chart last(COUNT) as COUNT over _time by NAME
0 Karma
Reply
Solved! Jump to solution

askkawalkar
Path Finder
‎06-21-2019 07:36 AM

Hi @VatsalJagani ,

Thanks for your quick help. This solution worked for me.

Below is the run anywhere query (@adonio: thanks for providing run anywhere search)

| gentimes start=-2 increment=30m
 | eval _time = starttime 
 | eval number = random()%200
| bin _time span=15m 
 | stats latest(number) as COUNT by _time
 | eval _time=_time/100 
 | eval _time=if(_time%2==0,_time-9,_time) 
 | eval _time=_time*100 
 | chart last(COUNT) as COUNT over _time

Regards,
Ankush

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...