https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543630#M153991 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232336">@akarollil</a>,</P><P>tstats command cannot do it but you can achieve by using timechart command.</P><P>Please try below;</P><LI-CODE lang="markup">| tstats count, sum(X) as X , sum(Y) as Y FROM datamodel=ZModel BY _time span=30m | timechart span=1h aligntime=@h+30m sum(count) sum(X) sum(Y)</LI-CODE> Sat, 13 Mar 2021 10:30:18 GMT scelikok 2021-03-13T10:30:18Z https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543227#M153888 <P>Hello,</P><P>I am trying to collect stats per hour using a data model for a absolute time range that starts 30 minutes past the hour. The query looks something like:</P><P><FONT face="courier new,courier">|tstats count, sum(X), sum(Y) FROM datamodel=ZModel BY _time span=1h</FONT></P><P>I choose a time range using the Date &amp; Time Range picker, but the range starts at 30 minutes past the hour. So say something like Jan 1 16:30 to Jan 2 16:30. The problem I have is that the time 'buckets' in the result snap to the hour, and so the hourly ranges are like 16:00 - 17:00, 17:00 - 18:00 and so forth rather than 16:30 - 17:30, 17:30 - 18:30 and so forth.</P><P>Is there anyway to make the time buckets start off relative to the start time specified rather than snap to the hour? I tried using earliest= latest= instead of using the Date &amp; Time Range picker, but that didn't help either.</P> Wed, 10 Mar 2021 17:44:38 GMT https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543227#M153888 akarollil 2021-03-10T17:44:38Z https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543567#M153970 <P>Somebody? Anybody?</P> Fri, 12 Mar 2021 17:20:59 GMT https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543567#M153970 akarollil 2021-03-12T17:20:59Z https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543630#M153991 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232336">@akarollil</a>,</P><P>tstats command cannot do it but you can achieve by using timechart command.</P><P>Please try below;</P><LI-CODE lang="markup">| tstats count, sum(X) as X , sum(Y) as Y FROM datamodel=ZModel BY _time span=30m | timechart span=1h aligntime=@h+30m sum(count) sum(X) sum(Y)</LI-CODE> Sat, 13 Mar 2021 10:30:18 GMT https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543630#M153991 scelikok 2021-03-13T10:30:18Z https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543875#M154060 <P>Thanks a lot&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;! That worked. I think I had seen <FONT face="courier new,courier">aligntime</FONT> but couldn't figure out how to use it with <FONT face="courier new,courier">tstats</FONT> or <FONT face="courier new,courier">timechart</FONT>.&nbsp;</P> Mon, 15 Mar 2021 15:17:53 GMT https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543875#M154060 akarollil 2021-03-15T15:17:53Z https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543884#M154061 <P>You're welcome&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232336">@akarollil</a></P><P>Please accept the answer for community.</P> Mon, 15 Mar 2021 15:33:26 GMT https://community.splunk.com/t5/Splunk-Search/tstat-hourly-time-span-without-snapping-to-hour-relative-to/m-p/543884#M154061 scelikok 2021-03-15T15:33:26Z