https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281185#M176293 <P>Please share your query.</P> Wed, 26 Oct 2016 11:30:07 GMT sundareshr 2016-10-26T11:30:07Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281184#M176292 <P>Hi,</P> <P>I have scenario like having timechart to show spikes for different dates(ex for 7 days).But now it shows same value for all 7 days.</P> <P>I have intro_max_time and intro_min_time in the format (1477480327.000 which pertains todays date).The condition which i gave is eval _time=info_max_time which takes only today data (ie intro_max_time) .</P> <P>I want to write this eval function for comparing the data for all the days between this intro_max_time and intro_min_time for getting the spikes.</P> <P>Please suggest me .</P> Tue, 29 Sep 2020 11:36:12 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281184#M176292 umsundar2015 2020-09-29T11:36:12Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281185#M176293 <P>Please share your query.</P> Wed, 26 Oct 2016 11:30:07 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281185#M176293 sundareshr 2016-10-26T11:30:07Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281186#M176294 <P>| addinfo | eval _time=intro_max_time |timechart span=1d count by remark_status . </P> <P>iam selecting time range as last 7 days..</P> Tue, 29 Sep 2020 11:36:15 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281186#M176294 umsundar2015 2020-09-29T11:36:15Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281187#M176295 <P>As long as your events have correct values for <CODE>_time</CODE> field, you don't need <CODE>| addinfo | eval _time=intro_max_time</CODE>. Try this instead. </P> <PRE><CODE>index=foo sourcetype=bar | timechart span=1d cont=t count by remark_status </CODE></PRE> Wed, 26 Oct 2016 12:17:14 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281187#M176295 sundareshr 2016-10-26T12:17:14Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281188#M176296 <P>i am getting no results .</P> <P>what is the use of cont=t ???</P> Wed, 26 Oct 2016 12:35:52 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281188#M176296 umsundar2015 2016-10-26T12:35:52Z https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281189#M176297 <P><CODE>cont: Specifies whether the chart is continuous or not. If set to true, the Search application fills in the time gaps</CODE>. What do you get when you run this query</P> <PRE><CODE>index=foo sourcetype=bar earliest=-7d@d | dedup _time | table _time remark_status _raw </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timechart">http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Timechart</A></P> Wed, 26 Oct 2016 12:47:57 GMT https://community.splunk.com/t5/Splunk-Search/how-to-write-time-function-to-take-the-data-for-all-7-days-i/m-p/281189#M176297 sundareshr 2016-10-26T12:47:57Z