Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart day offset

jeff
Contributor
‎05-09-2013 06:42 AM

I am trying to run a timechart against a summary index (the summary is populated once an hour) and split into 24 hour segments:

index=summary search_name=my_summary earliest=-30d@h latest=@h
| timechart span=24h count by target

If I set span=1d the buckets are split at midnight. I really want them to be split into 24 hour buckets that align with the search when run though... whether I set span=24h or span=1440m or span=86400s though, the segment is split at 8pm each day (regardless of when the search is run), resulting in 31 bins (29 with 24 events per target, and 2 with whatever adds up to 24 (11+13 for instance) at the beginning and end of the span.

I've also tried bins=30 by itself (2 bins split at month markers) and span=24h bins=30 (bins ignored).

Splunk 4.3

Any thoughts or sanity checks welcome and appreciated.

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-09-2013 08:03 AM

You may be able to do this mathematically by decomposing timechart and manipulating _time somewhere in the middle.

The timechart command is very close to this sequence of individual commands:

... | bucket span=XX _time | chart count over _time by target

It is the bucket command (or its equivalent within timechart) that is "rounding down" to the nearest value of span. What you may be able to do is something like this:

... | bucket span=1h _time 
| addinfo
| <STUFF>
| timechart span=1d count by target

The "STUFF" is the tricky part. You'll need to do some eval magic to add-or-subtract from _time to shift events forward or backward in time. The addinfo command will introduce a couple of new fields to assist with this, specifically info_search_time which will be a time_t type value (seconds since 1970) of when the search was started.

So, the "STUFF" might start out something like:

| eval hour_of_search=strftime("%H",info_search_time)
| eval hour_of_time=strftime("%H",_time)
| eval hourshift=if(hour_of_time > hour_of_search,(24-hour_of_search),0)
| eval _time=_time + hourshift*3600

Note I have no idea if the algebra there is right or not. It's just to demonstrate the general idea that _time is mutable, and if you can mathematically work out how to get what you want you can fuzz events forward or backward in time as needed to put them in the "same day" as you define your day.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...