topic How to use timechart or bucket span to view the result every 30 mins using below query? in Splunk Search

How to use timechart or bucket span to view the result every 30 mins using below query?

anil1219 — Mon, 18 Sep 2023 22:10:00 GMT

Hi,

I want to use timechart or bucket span to view the result every 30 mins using below query.

Could you please let me know how I can use timechart or bucket span=30m _time here.

index=* handler=traffic <today timerange>
| stats dc(dsid) as today_Traffic
| appendcols
[search index=* handler=traffic <yesterday timerange>
| stats dc(dsid) as Previous_day_Traffic]
| eval delta_traffic = today_Traffic-Previous_day_Traffic

Re: timechart using eval

ITWhisperer — Sat, 16 Sep 2023 06:00:15 GMT

Try something like this

index=* handler=traffic <today timerange> OR <yesterday timerange> | eval day=if(_time < relative_time(now(),"@d"), "yesterday", "today") | timechart span=30m dc(dsid) as traffic by day | eval delta_traffic = today-yesterday

Re: timechart using eval

bowesmana — Mon, 18 Sep 2023 00:44:54 GMT

You can use timechart/timewrap if you want to end up with a timechart dataset which you can plot overlaid on each other

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now) | timechart span=30m dc(dsid) as traffic | timewrap 1d | eval delta=traffic_latest_day - traffic_1day_before

or you can 'move' the previous day values to 'today' for charting purposes, by just adding 86400 (seconds in a day) to yesterday's value (which is what timewrap effectively does).

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now) | eval d=if(_time>=relative_time(now(), "@d"), "today", "yesterday") | eval _time=_time + if(d="yesterday", 86400, 0) | timechart fixedrange=f span=30m dc(dsid) by d | eval delta=today-yesterday