https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479835#M134476 <P>HI ,</P> <P>I am trying to get the number of hits of users for very 3 minutes .</P> <P>And am able to generate the chart with below command.</P> <P>index=jira source="/opt/access_log.2020-04-23" host="xyz | bucket _time span=3m | chart count over user by _time</P> <P>This generated the table but when viewing the events the events are showing only for a particular time and not time span.</P> <P>eg:Its showing events for 12:00 but i need 12:00 to 12:03?</P> <P>Can anyone tell what am i doing wrong?</P> Thu, 23 Apr 2020 13:03:04 GMT aditya22 2020-04-23T13:03:04Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479835#M134476 <P>HI ,</P> <P>I am trying to get the number of hits of users for very 3 minutes .</P> <P>And am able to generate the chart with below command.</P> <P>index=jira source="/opt/access_log.2020-04-23" host="xyz | bucket _time span=3m | chart count over user by _time</P> <P>This generated the table but when viewing the events the events are showing only for a particular time and not time span.</P> <P>eg:Its showing events for 12:00 but i need 12:00 to 12:03?</P> <P>Can anyone tell what am i doing wrong?</P> Thu, 23 Apr 2020 13:03:04 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479835#M134476 aditya22 2020-04-23T13:03:04Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479836#M134477 <P>The <CODE>bucket</CODE> command "rounds off" the time to the start of the interval. You'll see events for 12:00, 12:03, 12:06, etc. rather than 12:00, 12:01, 12:02 and so on.</P> <P>You can try <CODE>timechart</CODE>, but you'll likely get the same results.</P> <PRE><CODE>index=jira source="/opt/access_log.2020-04-23" host="xyz" | timechart span=3m count by user </CODE></PRE> Thu, 23 Apr 2020 13:21:33 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479836#M134477 richgalloway 2020-04-23T13:21:33Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479837#M134478 <P>Thanks much for the response.</P> <P>index=jira source="/opt/access_log.2020-04-23" host="xyz | bucket _time span=3m | chart count over user by _time</P> <P>But getting error.</P> <P>Error in 'timechart' command: You must specify data field(s) to chart.</P> Thu, 23 Apr 2020 13:45:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479837#M134478 aditya22 2020-04-23T13:45:22Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479838#M134479 <P>The error doesn't match the query. There is no <CODE>timechart</CODE> command in the query.</P> Thu, 23 Apr 2020 14:14:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479838#M134479 richgalloway 2020-04-23T14:14:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479839#M134480 <P>oh sorry missed that.</P> <P>This was the query.</P> <P>index=jira source="/opt/access_log.2020-04-23" host="xyz | timechart span=3m | chart count over user by _time</P> Thu, 23 Apr 2020 15:22:37 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479839#M134480 aditya22 2020-04-23T15:22:37Z https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479840#M134481 <P>Please look closely at my answer. <CODE>bucket</CODE> and <CODE>chart</CODE> are replaced by <CODE>timechart</CODE>.</P> Thu, 23 Apr 2020 17:06:00 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-chart-for-time-interval/m-p/479840#M134481 richgalloway 2020-04-23T17:06:00Z