timechart start at certain time

dmoulais — Wed, 10 Jan 2018 15:16:15 GMT

I have data similiar to the following - this is just a subset as the full data file contains 4 days worth of data. The data was imported as a one shot deal all at once.

2018/1/3/12/34/10 2 1 6.00
2018/1/3/12/35/10 2 1 6.00
2018/1/3/12/36/10 2 1 6.00
2018/1/3/12/37/10 3 1 7.00
2018/1/3/12/38/10 3 1 7.00
2018/1/3/12/39/10 2 1 6.00
2018/1/3/12/40/10 3 1 7.00

To graph the data, we use the following command.

source="/tmp/getsysgfiles/server_cpu.g" | rex "(?\d+\/\d+\/\d+\/\d+\/\d+\/\d+) (?\d+) (?\d+)" | eval _time=strptime(Time,"%Y/%m/%d/%H/%M") | timechart sum(two) span=1m

The problem is that the graph shows all data. For instance, is there a way to modify the command to only show entries from the past 24 hours? If I use the time picker or the "earliest" command, it seems to be using the import time of the data, not the timestamp we converted in strptime.

Re: timechart start at certain time

micahkemp — Wed, 10 Jan 2018 17:16:56 GMT

source="/tmp/getsysgfiles/server_cpu.g" | eval _time=strptime(Time,"%Y/%m/%d/%H/%M") | addinfo | where _time>=info_min_time and _time<info_max_time | timechart sum(two) span=1m

I removed your rex command, as it didn't seem to be extracting a field anyway.

But, really, you should work at getting the timestamp correct at index time. Is there a reason the timestamp you want to use here differs from the event time Splunk has for the event?

topic Re: timechart start at certain time in Splunk Search

timechart start at certain time

Re: timechart start at certain time