topic Re: span not working with db query in Splunk Dev https://community.splunk.com/t5/Splunk-Dev/span-not-working-with-db-query/m-p/358833#M5806 <P>The span attribute works on the column preceding it. Does the u_short_description field contains timestamp in epoch format? If the u_real_hit_time field contains timestamp, then you need to move span just after that in chart command.</P> <PRE><CODE>| dbxquery query="SELECT some select statement | eval u_total_time=u_total_time/1000 | chart avg(u_total_time) over u_real_hit_time span=1m by u_short_description </CODE></PRE> <P>See this for example<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Chart#6:_Chart_the_number_of_events.2C_grouped_by_date_and_hour" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Chart#6:_Chart_the_number_of_events.2C_grouped_by_date_and_hour</A></P> Tue, 29 Sep 2020 15:17:24 GMT somesoni2 2020-09-29T15:17:24Z span not working with db query https://community.splunk.com/t5/Splunk-Dev/span-not-working-with-db-query/m-p/358832#M5805 <P>i have a search like so :</P> <P>| dbxquery query="SELECT some select statement<BR /> | eval u_total_time=u_total_time/1000 <BR /> | chart avg(u_total_time) over u_real_hit_time by u_short_description span=1m</P> <P>However the span=1 seems to be ignored and the results are still presenting in second intervals.</P> <P>I have moved the span cmd to after the chart cmd and also tried using stats and timechart but the span cmd is ignored in all searches.</P> <P>Ideas ?</P> <P>cheers.</P> Tue, 29 Sep 2020 15:17:21 GMT https://community.splunk.com/t5/Splunk-Dev/span-not-working-with-db-query/m-p/358832#M5805 Esky73 2020-09-29T15:17:21Z Re: span not working with db query https://community.splunk.com/t5/Splunk-Dev/span-not-working-with-db-query/m-p/358833#M5806 <P>The span attribute works on the column preceding it. Does the u_short_description field contains timestamp in epoch format? If the u_real_hit_time field contains timestamp, then you need to move span just after that in chart command.</P> <PRE><CODE>| dbxquery query="SELECT some select statement | eval u_total_time=u_total_time/1000 | chart avg(u_total_time) over u_real_hit_time span=1m by u_short_description </CODE></PRE> <P>See this for example<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Chart#6:_Chart_the_number_of_events.2C_grouped_by_date_and_hour" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Chart#6:_Chart_the_number_of_events.2C_grouped_by_date_and_hour</A></P> Tue, 29 Sep 2020 15:17:24 GMT https://community.splunk.com/t5/Splunk-Dev/span-not-working-with-db-query/m-p/358833#M5806 somesoni2 2020-09-29T15:17:24Z