Timewrap a 10 minute period of each day, by minute...

bryanwurakawa · ‎06-03-2015

I have a set of results which happen to occur between 4:59pm and 5:08pm each day. How can I timewrap these results with a 1 minute (x) interval?

bryanwurakawa · ‎06-03-2015

I (almost? maybe?) solved it - but would be interested in better ways to do this:

My solution was to add the "where" clause seen below:

| timechart span=m count | timewrap d | where (strftime(_time, "%H:%M") > "16:58" AND strftime(_time, "%H:%M") < "17:09")

HOWEVER: The count of values in the resulting chart are really low. I had 1200 results in the 10 minute timeframe but the bar graph showed about half of that amount.

I got a better graph using:
(date_mday!=22 AND date_hour!=8) ((date_hour=16 AND date_minute="59") OR (date_hour="17" AND date_minute<"9")) | chart count by date_minute, date_mday
but that returns a graph with x showing 0,1,2,3,4,8,59 (the minute values) - where 59 is biggest but should be first (4:59pm vs 5:0x)

bryanwurakawa · ‎06-03-2015

To clarify, I was getting a "truncated results" message when trying like:

| timechart span=m count

| timewrap d

and I was able to get it to display properly as:

| timechart span=m count

| timewrap d

| where (strftime(_time, "%H:%M") > "16:58" AND strftime(_time, "%H:%M") < "17:09")

Timewrap a 10 minute period of each day, by minute, over past 3-4 weeks?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes