https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438606#M124839 <P>You can add/remove any arbitrary time-segment like this:</P> <PRE><CODE>Your Base Search Here [| makeresults | rename COMMENT AS "This expands the window by 1 minute on each side" | addinfo | eval search = "earliest=" . (info_min_time - 60) . " latest=" . (info_max_time + 60) | table search] | timechart count span=1m </CODE></PRE> Wed, 31 Oct 2018 18:39:21 GMT woodcock 2018-10-31T18:39:21Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438604#M124837 <P>I'm using <CODE>timechat</CODE> to count the number of events per minute in a single value display: <CODE>search | timechart span=1m count</CODE></P> <P>This works fine. However, each time span is aligned to the top of the minute, meaning that the single value is only ever accurate when the search is conducted at the top of the minute. I want my single value to display the total number of requests in the last minute from <EM>now</EM> and not the last <EM>whole</EM> minute.</P> <P>For example, if the search is running at 12:15:39, the single value should show the count of events between 12:14:39 and 12:15:39, rather than the count from 12:14:00 to 12:15:00 (or, if using <CODE>partial=true</CODE>, 12:15:00 to 12:15:39)</P> <P>Is <CODE>timechart</CODE> suitable for this or do I need to use another method?</P> Fri, 19 Oct 2018 02:24:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438604#M124837 lukemundy 2018-10-19T02:24:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438605#M124838 <P>You can add/subtract an offset, run your timechart, then subtract/add it back. </P> <P>Here's a run-anywhere example... </P> <PRE><CODE> index=_internal earliest=-610s | addinfo | eval delay=info_max_time % 60 | eval _time = _time - delay | timechart span=1m count | addinfo | eval delay=info_max_time % 60 | eval _time = _time + delay | fields - delay info* </CODE></PRE> <HR /> <P>Notes</P> <P>1) <CODE>timechart</CODE> kills the calculated field, so you have to do it all over again, then delete the added fields as well.</P> <P>2) You can use <CODE>info_max_time</CODE> or <CODE>info_min_time</CODE>, depending on whether you are more concerned about aligning the start of the period or the end of the period. They are functionally equivalent except for edge cases. </P> Fri, 26 Oct 2018 21:59:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438605#M124838 DalJeanis 2018-10-26T21:59:43Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438606#M124839 <P>You can add/remove any arbitrary time-segment like this:</P> <PRE><CODE>Your Base Search Here [| makeresults | rename COMMENT AS "This expands the window by 1 minute on each side" | addinfo | eval search = "earliest=" . (info_min_time - 60) . " latest=" . (info_max_time + 60) | table search] | timechart count span=1m </CODE></PRE> Wed, 31 Oct 2018 18:39:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-timechart-with-spans-that-aren-t-aligned-to/m-p/438606#M124839 woodcock 2018-10-31T18:39:21Z