https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599580#M49194 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240908">@onthakur</a>,</P><P>if you have the "date_hour" field you can use the following search:</P><LI-CODE lang="markup">index=your_index time_hour=1 earliest=-7d latest=now | timechart span=1d count</LI-CODE><P>If yu haven't the above field you have to extract it:</P><LI-CODE lang="markup">index=your_index earliest=-7d latest=now | eval time_hour=strftime(_time,"%H") | where time_hour=1 | timechart span=1d count</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 27 May 2022 12:21:05 GMT gcusello 2022-05-27T12:21:05Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599578#M49192 <P>Hello,</P> <P>I am looking for the timechart option where I can get data for last 7 days for a particular time range.</P> <P>Ex :- if I select time range as 01:00:00 to 02:00:00 AM then should show data for last 7 days for the same time range.</P> <TABLE width="251"> <TBODY> <TR> <TD width="187">Date/Time range</TD> <TD width="64">Count</TD> </TR> <TR> <TD>2022-05-27 01:00:00 02:00:00</TD> <TD>A</TD> </TR> <TR> <TD>2022-05-26 01:00:00 02:00:00</TD> <TD>B</TD> </TR> <TR> <TD>2022-05-25 01:00:00 02:00:00</TD> <TD>C</TD> </TR> <TR> <TD>2022-05-24 01:00:00 02:00:00</TD> <TD>D</TD> </TR> <TR> <TD>2022-05-23 01:00:00 02:00:00</TD> <TD>E</TD> </TR> <TR> <TD>2022-05-22 01:00:00 02:00:00</TD> <TD>F</TD> </TR> <TR> <TD>2022-05-21 01:00:00 02:00:00</TD> <TD>G</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Fri, 27 May 2022 15:05:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599578#M49192 onthakur 2022-05-27T15:05:36Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599580#M49194 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240908">@onthakur</a>,</P><P>if you have the "date_hour" field you can use the following search:</P><LI-CODE lang="markup">index=your_index time_hour=1 earliest=-7d latest=now | timechart span=1d count</LI-CODE><P>If yu haven't the above field you have to extract it:</P><LI-CODE lang="markup">index=your_index earliest=-7d latest=now | eval time_hour=strftime(_time,"%H") | where time_hour=1 | timechart span=1d count</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 27 May 2022 12:21:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599580#M49194 gcusello 2022-05-27T12:21:05Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599583#M49196 <P>Don't use the time_hour fields! At least unless you understand how it works.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Usedefaultfields" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Knowledge/Usedefaultfields</A></P><P>About the date_* fields:</P><P>"These are fields that provide additional searchable granularity to event timestamps.</P><P><STRONG>Note:</STRONG> Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that."</P><P>So if have some form of timezone inconsistency between the raw timestamp data in the event and the timezone you're working with, you will have wrong results when working on those date_* results.</P> Fri, 27 May 2022 13:36:58 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Timechart-How-get-data-for-last-7-days-for-a-particular/m-p/599583#M49196 PickleRick 2022-05-27T13:36:58Z