topic Align timechart with current time in Splunk Search

Align timechart with current time

BenEllisCognia — Tue, 29 Sep 2020 07:36:16 GMT

We've been using the following search

sourcetype=*_catalina ERROR logging_level=ERROR | bucket _time span=4h | timechart count span=4h

that counts the errors every 4 hours throughout the day, e.g.

00:00
04:00
08:00

however, we'd like to see the errors every 4 hours from now, e.g.

15:37:12
19:37:12
23:37:12

Is this possible? How can we achieve this?

Re: Align timechart with current time

somesoni2 — Sun, 25 Oct 2015 18:29:43 GMT

Give this a try

sourcetype=*_catalina ERROR logging_level=ERROR | table _time | eval diff=now()-relative_time(now(),"@h") | eval _time=_time-diff | timechart span=4h count max(diff) as diff | eval _time=_time+diff |fields - diff

Re: Align timechart with current time

BenEllisCognia — Tue, 27 Oct 2015 11:19:06 GMT

This doesn't work as I am wanting, it still gives me a truncated count for the last 4 hours.

It rounds all the events to the nearest hour, if it rounded them to the nearest 4 hour block then it would possibly do what I want.

Re: Align timechart with current time

BenEllisCognia — Tue, 27 Oct 2015 17:06:19 GMT

I've tweaked @somesoni2's answer to suit my needs and it appears to run okay though a little slow, any optimization suggestions would be appreciated.

sourcetype=*_catalina (ERROR OR SEVERE OR FATAL) | where ISNULL(logging_level) OR logging_level="ERROR" OR logging_level="SEVERE" OR logging_level="FATAL" | table _time | eval diff=now()-relative_time(now(),"@d") | eval diff=case(diff < (4*3600), diff - (1*(4*3600)), diff < (2*(4*3600)), diff - (2*(4*3600)), diff < (3*(4*3600)), diff - (3*(4*3600)), diff < (4*(4*3600)), diff - (4*(4*3600)), diff < (5*(4*3600)), diff - (5*(4*3600)), diff < (6*(4*3600)), diff - (6*(4*3600)), diff < (7*(4*3600)), diff - (7*(4*3600))) | eval _time=_time-diff | timechart span=4h count max(diff) as diff | eval _time=_time+diff | fields - diff