https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432544#M170703 <P>@askkawalkar - Did you get chance to check answer?</P> Fri, 21 Jun 2019 07:14:37 GMT VatsalJagani 2019-06-21T07:14:37Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432542#M170701 <P>I am trying to create a timechart <BR /> base search ... <BR /> | timechart span=30m latest(COUNT) as COUNT by NAME</P> <P>it is providing me events for field <STRONG>"_time"</STRONG> as : "12:00", "12:30", "01:00", "01:30" .. and so on..</P> <P>I want field <STRONG>"_time"</STRONG> as : "12:15", "12:45", "01:15", "1:45" ... and so on...</P> <P>Is there any solution to convert _time.</P> <P>Thanks in advance.</P> Tue, 18 Jun 2019 07:02:43 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432542#M170701 askkawalkar 2019-06-18T07:02:43Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432543#M170702 <P>Hello @askkawalkar,</P> <P>This query worked for me. Instead of timechart use below list of evals, stat and chart to achieve your requirement.</P> <PRE><CODE>&lt;your query&gt; | bin _time span=15m | stats latest(COUNT) as COUNT by _time, NAME | eval _time=_time/100 | eval _time=if(_time%2==0,_time-9,_time) | eval _time=_time*100 | chart last(COUNT) as COUNT over _time by NAME </CODE></PRE> Tue, 18 Jun 2019 12:21:24 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432543#M170702 VatsalJagani 2019-06-18T12:21:24Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432544#M170703 <P>@askkawalkar - Did you get chance to check answer?</P> Fri, 21 Jun 2019 07:14:37 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432544#M170703 VatsalJagani 2019-06-21T07:14:37Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432545#M170704 <P>here is another way of achieving your goal with the <CODE>aligntime</CODE> attribute:<BR /> read here:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Bin#Bin_options">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Bin#Bin_options</A></P> <P>run this search anywhere:</P> <PRE><CODE>| gentimes start=-2 increment=1m | eval _time = starttime | eval number = random()%200 | bin _time span=30m aligntime=@d+15m | timechart max(number) as max_number </CODE></PRE> <P>hope it helps</P> Fri, 21 Jun 2019 13:03:51 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432545#M170704 adonio 2019-06-21T13:03:51Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432546#M170705 <P>Hi @VatsalJagani ,</P> <P>Thanks for your quick help. This solution worked for me.</P> <P>Below is the run anywhere query (@adonio: thanks for providing run anywhere search)</P> <PRE><CODE>| gentimes start=-2 increment=30m | eval _time = starttime | eval number = random()%200 | bin _time span=15m | stats latest(number) as COUNT by _time | eval _time=_time/100 | eval _time=if(_time%2==0,_time-9,_time) | eval _time=_time*100 | chart last(COUNT) as COUNT over _time </CODE></PRE> <P>Regards,<BR /> Ankush</P> Fri, 21 Jun 2019 14:36:46 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432546#M170705 askkawalkar 2019-06-21T14:36:46Z https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432547#M170706 <P>Hi @adonio ,</P> <P>Thanks for your help in search anywhere.</P> <P>Thanks,<BR /> Ankush</P> Fri, 21 Jun 2019 14:42:27 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-span-30m-show-data-in-15th-and-45th-min/m-p/432547#M170706 askkawalkar 2019-06-21T14:42:27Z