https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488987#M1710 <P>I need the time slicing here like</P> <P>I want to see four event for span=1h in the last four hours filter .</P> <P>Something like below</P> <P>| bin _time span=1h | fields _time</P> <P>result should be</P> <P>_time</P> <P>2020-04-29 10:00<BR /> 2020-04-29 9:00<BR /> 2020-04-29 8:00<BR /> 2020-04-29 7:00</P> <P>I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing</P> <P>| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id</P> <P>Kindly help us.</P> Wed, 30 Sep 2020 05:15:22 GMT manibattula 2020-09-30T05:15:22Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488982#M1705 <P>I have below query and it should gives result of time filter of last four hours (or) last 24 hours.</P> <P>|makeresults |bucket _time span=1h|stats count by _time</P> <P>But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.</P> <P>Kindly help us.</P> Sun, 07 Jun 2020 00:58:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488982#M1705 manibattula 2020-06-07T00:58:59Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488983#M1706 <P><CODE>makeresults</CODE> by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell <CODE>makeresults</CODE> to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.</P> <P>Please describe the problem you are trying to solve and we may be able to suggest a solution.</P> Wed, 29 Apr 2020 14:59:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488983#M1706 richgalloway 2020-04-29T14:59:09Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488984#M1707 <P>Can you please let us know how to handle the above query getting each event with respect to span limit</P> Wed, 29 Apr 2020 15:39:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488984#M1707 manibattula 2020-04-29T15:39:43Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488985#M1708 <P>The current query does nothing. Please describe the real problem you are trying to solve.</P> Wed, 29 Apr 2020 15:57:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488985#M1708 richgalloway 2020-04-29T15:57:07Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488986#M1709 <P>I need the time slicing here like </P> <P>I want to see four event for span=1h in the last four hours filter .</P> <P>Something like below</P> <P>| bin _time span=1h | fields _time </P> <P>result should be </P> <H2>_time</H2> <P>2020-04-29 10:00<BR /> 2020-04-29 9:00<BR /> 2020-04-29 8:00<BR /> 2020-04-29 7:00</P> <P>I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing</P> <P>| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id </P> <P>Kindly help us.</P> Wed, 30 Sep 2020 05:15:19 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488986#M1709 manibattula 2020-09-30T05:15:19Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488987#M1710 <P>I need the time slicing here like</P> <P>I want to see four event for span=1h in the last four hours filter .</P> <P>Something like below</P> <P>| bin _time span=1h | fields _time</P> <P>result should be</P> <P>_time</P> <P>2020-04-29 10:00<BR /> 2020-04-29 9:00<BR /> 2020-04-29 8:00<BR /> 2020-04-29 7:00</P> <P>I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing</P> <P>| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id</P> <P>Kindly help us.</P> Wed, 30 Sep 2020 05:15:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488987#M1710 manibattula 2020-09-30T05:15:22Z https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488988#M1711 <P>The <CODE>timechart</CODE> command will fill in missing time frames. Try</P> <PRE><CODE>index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields _time osm_zone_id | timechart span=1h values(osm_zone_id) as osm_zone_id | table _time, osm_zone_id </CODE></PRE> Wed, 29 Apr 2020 17:26:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/Time-slicing-issue/m-p/488988#M1711 richgalloway 2020-04-29T17:26:37Z