https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436260#M124340 <P>Hi!</P> <P>I have a scenario where we have used "| stats count" and gotten the total number for the range that we picked. This has been working fine, but now, we'd like to use <CODE>timechart</CODE> to get trends.</P> <P>However, when using <CODE>timechart</CODE>, the number becomes the latest "bucket" instead of the total number.</P> <P>Example:<BR /> Searching with a time range of 60 minutes would give me the value for the last minute. </P> <P>Been fiddling around with some suggestions but haven't found a reliable solution. This last one:</P> <PRE><CODE>| timechart [search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=if(round(timerange/3600) == infinity, 1, round(timerange/3600))."h" | return span] count | appendpipe [stats count | where count=0] </CODE></PRE> <P>It generates errors like "Error in timechart command. The value for option span (infinityh) is invalid."</P> <P>Any ideas of what I'm doing wrong?</P> <P>/Patrik</P> Thu, 30 Aug 2018 14:30:08 GMT epacke 2018-08-30T14:30:08Z https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436260#M124340 <P>Hi!</P> <P>I have a scenario where we have used "| stats count" and gotten the total number for the range that we picked. This has been working fine, but now, we'd like to use <CODE>timechart</CODE> to get trends.</P> <P>However, when using <CODE>timechart</CODE>, the number becomes the latest "bucket" instead of the total number.</P> <P>Example:<BR /> Searching with a time range of 60 minutes would give me the value for the last minute. </P> <P>Been fiddling around with some suggestions but haven't found a reliable solution. This last one:</P> <PRE><CODE>| timechart [search index=_internal | head 1 | addinfo | eval timerange= info_max_time-info_min_time | eval span=if(round(timerange/3600) == infinity, 1, round(timerange/3600))."h" | return span] count | appendpipe [stats count | where count=0] </CODE></PRE> <P>It generates errors like "Error in timechart command. The value for option span (infinityh) is invalid."</P> <P>Any ideas of what I'm doing wrong?</P> <P>/Patrik</P> Thu, 30 Aug 2018 14:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436260#M124340 epacke 2018-08-30T14:30:08Z https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436261#M124341 <P>Timechart is going to give you a new row for each bucket. Why use timechart if you don't want seperate buckets? Why use head 1 to return the latest bucket? If you were sold on using timechart then you would have to force it to use a single bucket by adding <CODE>span=60m</CODE> which would give you identical results of using <CODE>stats</CODE></P> <P>These 2 queries will give identical results </P> <PRE><CODE>| bin _time span=60m | stats count by _time | timechart span=60m count </CODE></PRE> Thu, 30 Aug 2018 16:11:24 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436261#M124341 skoelpin 2018-08-30T16:11:24Z https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436262#M124342 <P>Timechart is used because I want the trend. Span=60m works but since I have a time picker this would not work for longer search ranges.</P> Fri, 31 Aug 2018 05:41:52 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-trend-over-the-same-interval-as-the-search-range/m-p/436262#M124342 epacke 2018-08-31T05:41:52Z