https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69524#M14118 <P>I don't know if it's mis-parsing the data and getting milliseconds, but that's a separate issue. You can fix that by providing explicit TIME_FORMAT and TIME_PREFIX to match your data. </P> <P>As for reporting, however, you should simply be able to do:</P> <PRE><CODE>| timechart span=1s sum(column3) </CODE></PRE> <P>or use whatever time span you like. </P> <P>Also, I'm not sure why you'd need <CODE>stats</CODE> first. If this is a simplification, and you <EM>do</EM> need stats, you can force a span onto the with:</P> <PRE><CODE>... | bucket span=10m _time | stats sum(column3) as total_colum3 by _time | ... </CODE></PRE> <P>So whether or not the data has milliseconds, you should be able to adjust for it.</P> Tue, 29 Mar 2011 07:04:22 GMT gkanapathy 2011-03-29T07:04:22Z https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69523#M14117 <P>Splunk is picking up a csv file that looks like this:</P> <PRE><CODE>SP A,03/27/11 13:10:00,10,4,5,6 SP A,03/27/11 13:20:00,4,4,2,0 SP A,03/27/11 13:30:00,1,1,5,4 ... SP B,03/27/11 13:10:00,15,2,3,6 SP B,03/27/11 13:20:00,1,8,5,0 SP B,03/27/11 13:30:00,2,2,3,4 </CODE></PRE> <P>My assumption was that I would be able to do this:</P> <P><CODE>| stats sum(column3) as total_column3 by _time |timechart avg(total_column3)</CODE></P> <P>and end up with 25,5,3. But splunk is adding milliseconds to _time resulting in unique times/events:</P> <PRE><CODE>3/27/11 1:10:00.400 PM SP A,03/27/11 13:10:00,10,4,5,6 ... 3/27/11 1:10:00.247 PM SP B,03/27/11 13:10:00,15,2,3,6 </CODE></PRE> <P>I could use the date stamp column from the csv:</P> <P><CODE>| stats sum(column3) as total_column3 by column2 |chart avg(total_column3) by column2</CODE></P> <P>but I want to be able to use timechart and adjust span so I don't always have to use 10 minute intervals. </P> <P>Should I be importing the data differently or is there a way around this?</P> Tue, 29 Mar 2011 06:21:23 GMT https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69523#M14117 dinisco 2011-03-29T06:21:23Z https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69524#M14118 <P>I don't know if it's mis-parsing the data and getting milliseconds, but that's a separate issue. You can fix that by providing explicit TIME_FORMAT and TIME_PREFIX to match your data. </P> <P>As for reporting, however, you should simply be able to do:</P> <PRE><CODE>| timechart span=1s sum(column3) </CODE></PRE> <P>or use whatever time span you like. </P> <P>Also, I'm not sure why you'd need <CODE>stats</CODE> first. If this is a simplification, and you <EM>do</EM> need stats, you can force a span onto the with:</P> <PRE><CODE>... | bucket span=10m _time | stats sum(column3) as total_colum3 by _time | ... </CODE></PRE> <P>So whether or not the data has milliseconds, you should be able to adjust for it.</P> Tue, 29 Mar 2011 07:04:22 GMT https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69524#M14118 gkanapathy 2011-03-29T07:04:22Z https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69525#M14119 <P>Thanks again, as always. The bucket span option did the trick.</P> <P>The reason I'm using stats to sum is because I want to sum column3 for SPA and SPB then take an average over time. If I used sum in timechart it would add column3 and the data would be misrepresented whenever timechart span exceeded 10 mins.</P> Wed, 30 Mar 2011 05:12:53 GMT https://community.splunk.com/t5/Getting-Data-In/milliseconds-in-time/m-p/69525#M14119 dinisco 2011-03-30T05:12:53Z