How to get timewrap per day with exact date on the...

rangarbus · ‎11-23-2020

I have data feed into splunk via forwarder.

I want to count the events per for the time picker selected by user.

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1h count 
| timewrap 1d series=exact 
| eval time=strftime(_time, "%H:%M")
| fields - _time
| fields + time, *
| sort by time

I have selected last 7 days in date/time picker. Attached is the result I get in splunk.

It shows Nov22 at the end, but ideally i should be Nov23.

What should i change here to have timewrap per day with exact date on the column title.?

thambisetty · ‎11-23-2020

@rangarbus

you don't need timewrap for your problem. just use below query:

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1d count

if you choose Last 7 days from time picker then Splunk takes -7days from the time you run the search. you may not have complete data of current date and earliest date.

————————————
If this helps, give a like below.

rangarbus · ‎11-24-2020

Thanks @thambisetty . If i remove the timewrap 1h , it endup 7 rows(1 per day) with sum of all count for each day. With timewrap 1h , i expected to have 24 rows with 7 columns each showing specific count..

How to get timewrap per day with exact date on the column title?

timechart

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

How to get timewrap per day with exact date on the column title?

timechart

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!