- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why will timechart not give me hourly updates?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why will timechart not give me hourly updates?
I have the following query that shows me that date/time is getting parsed correctly and is now displaying and a regular Splunk time:
client
| table date, hour, _time, epochtime, correct_timestamp, rate
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
When I try to use the following query to create a timechart with an hourly average of the rate, I get no visualizations. I can easily create a timechart of rate that happens by day. Why can I not get this down to the hour?
client
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
|timechart avg(rate) span=1h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jamesandy51,
Try using the epoch time in timechart before you convert it to a string using strftime.
i.e.
client
| eval correct_timestamp = date + " " + hour + ":00:00"
| eval _time=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| timechart avg(rate) span=1h
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This still does not work. It looks like after I run the |timechart command, it reverts _time to the original value before the eval.
Any other ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search is slightly incorrect - you're assigning an actual integer to epochtime using strptime, and then using strftime to format/assign it to _time. The field _time should have the epoch value, not the formatted value. This is causing timechart to be confused.
You're on the right track, and Renjith's answer is a correct one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it, I have it working now. Thank you both for the help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jamesandy51, if it worked for you, please accept as answer. Thanks
What goes around comes around. If it helps, hit it with Karma 🙂
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
