Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Snap-to-time in timechart

rsuryasaputra1
New Member
‎11-14-2018 04:31 PM

Hello

I'm confused about this behaviour... the search works if the span is just weekly; but fails when putting w1.

| timechart span=w@w1 dc(serial)

returns with error
Streamed search execute failed because: Error in 'bin' command: The value for option span (w@w1) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

Splunk Enterprise 6.6.3.

Thank you in advanced for your help and insights!

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-19-2018 11:14 AM

The searches you posted as broken are working for me. Have you considered upgrading, just in case 6.6.3 might have a bug around this feature? It was new for 6.6.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-15-2018 04:44 AM

Do post your entire search.

0 Karma
Reply

rsuryasaputra1
New Member
‎11-18-2018 10:29 PM

Thanks for your responses so far. I'm querying summarised index here.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w dc(serial) as "# of TVs linked" <== works, last 30 days (i.e. from 20-Oct) buckets to weeks starting from Saturday.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w@w dc(serial) as "# of TVs linked" <== Streamed search execute failed because: Error in 'bin' command: The value for option span (1w@w) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w@w3 dc(serial) as "# of TVs linked" <== Streamed search execute failed because: Error in 'bin' command: The value for option span (1w@w3) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

0 Karma
Reply

echalex
Builder
‎11-15-2018 12:42 AM

The error message is misleading, in my view. I tried this in Splunk 6.5.9 and received the same error message. However, the difference is that Splunk 6.5.9 doesn't have the snap-to as a feature for timechart, but according to the doc 6.6.3, should have it.

(Original answer converted to a comment and edited entirely. I assumed that 1w@w would be the correct snap-to in 6.6.3, but I was corrected.)

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-15-2018 04:44 AM

@w1 is correct, snapping to Monday.

The integer before the time unit is optional, and documented as such by being in square brackets.

0 Karma
Reply

echalex
Builder
‎11-15-2018 05:18 AM

Right... I didn't check so far in the documentation and it's a new construct/feature to me.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2018 06:21 PM

Works fine in my Splunk, but I'm on 7.2

0 Karma
Reply

HiroshiSatoh
Champion
‎11-14-2018 10:13 PM

7.0.3 and 6.6.1 worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...