Dashboards & Visualizations

How to get timewrap per day with exact date on the column title?

rangarbus
Path Finder

I have data feed into splunk via forwarder.

I want to count the events per for the time picker selected by user. 

 

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1h count 
| timewrap 1d series=exact 
| eval time=strftime(_time, "%H:%M")
| fields - _time
| fields + time, *
| sort by time

 

I have selected last 7 days in date/time picker. Attached is the result I get in splunk.

It shows Nov22 at the end, but ideally i should be Nov23. 

What should i change here to have timewrap per day with exact date on the column title.?

Labels (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

@rangarbus 

you don't need timewrap for your problem. just use below query:

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1d count 

if you choose Last 7 days from time picker then Splunk takes -7days from the time you run the search. you may not have complete data of current date and earliest date. 

 

————————————
If this helps, give a like below.
0 Karma

rangarbus
Path Finder

Thanks @thambisetty  . If i remove the timewrap 1h , it endup 7 rows(1 per day) with sum of all count for each day.  With timewrap 1h , i expected to have 24 rows with 7 columns each showing specific count.. 

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...