How to get timewrap per day with exact date on the...

rangarbus · ‎11-23-2020

I have data feed into splunk via forwarder.

I want to count the events per for the time picker selected by user.

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1h count 
| timewrap 1d series=exact 
| eval time=strftime(_time, "%H:%M")
| fields - _time
| fields + time, *
| sort by time

I have selected last 7 days in date/time picker. Attached is the result I get in splunk.

It shows Nov22 at the end, but ideally i should be Nov23.

What should i change here to have timewrap per day with exact date on the column title.?

thambisetty · ‎11-23-2020

@rangarbus

you don't need timewrap for your problem. just use below query:

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1d count

if you choose Last 7 days from time picker then Splunk takes -7days from the time you run the search. you may not have complete data of current date and earliest date.

————————————
If this helps, give a like below.

rangarbus · ‎11-24-2020

Thanks @thambisetty . If i remove the timewrap 1h , it endup 7 rows(1 per day) with sum of all count for each day. With timewrap 1h , i expected to have 24 rows with 7 columns each showing specific count..

How to get timewrap per day with exact date on the column title?

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!