Dashboards & Visualizations

How to display events between 7h in the morning and 19h in the evening?

jip31
Motivator

hello

 

In my timechart, I just need to display events between 7h in the morning and 19h in the evening

So I am doing this and it works fine

 

| eval local_time=strftime('_time', "%H%M") 
| search local_time >="0700" AND local_time <="1900" 
| timechart span=5min dc(s) as "s" 

 

but I also need to display on my x axis timechart, only the hour between 7h in the morning and 19h in the evening

So I add this and it works too

 

| eval _time=local_time 

 

But the problem I have is that I lost the _time fomat because now the format is in hour minutes

How to do for avoid this please?

Labels (1)
Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Why not just reduce the timerange to that time period of the day so that your timechart runs only for 07:00AM and 07:00PM? Your x-axis values will only show hours that you need.. Like this:

index=foo sourcetype=bar earliest=@d+7h latest=@d+19h
| timechart span=5min dc(s) as "s" 

 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Why not just reduce the timerange to that time period of the day so that your timechart runs only for 07:00AM and 07:00PM? Your x-axis values will only show hours that you need.. Like this:

index=foo sourcetype=bar earliest=@d+7h latest=@d+19h
| timechart span=5min dc(s) as "s" 

 

0 Karma

jip31
Motivator

hi somesoni

great solution thanks

0 Karma

jip31
Motivator

 As you can see on x axis, instaed having 7:00, 8:00, 9:00 etc.... I have 1972, 1976, 1980....

jip31_0-1646676199480.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are you expecting your x-axis to contain?

0 Karma

jip31
Motivator

Because i use "today" in the time picher, I need to display hour with a span of 1 hour between 7h and 19h

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1h dc(s) as "s"
0 Karma

jip31
Motivator

I thing you didnt understood my need, sorry

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Do it the other way around. Don't render the _time field to string, check if the timestamp modulo 86400 falls between 7*3600 and 19*3600. You might need to offset it by your local timezone.

0 Karma

jip31
Motivator

hum, not sure to understand

Have you an example please?

0 Karma

PickleRick
SplunkTrust
SplunkTrust
<your_search> | where (_time % 86400 > 9*3600) AND (_time<17 *3600)

This will work in GMT. In case of another timeone you'll have to replace _time with (_time+offset) where offset is expressed in seconds, like 3600 for GMT+1, 7200 for GMT+2 and so on.

0 Karma

jip31
Motivator

sorry but it gives nothing

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Example from my home splunk

Screenshot_20220307-235114_Firefox Beta.jpg

 As you can see, I have condition for hours 6-14 but I'm getting results from 7-15 (there is a bin command so all 14:xx times are counted as 14:00 of course) because my local timezone is CET (GMT+1)

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...