Dashboards & Visualizations

How to get timewrap per day with exact date on the column title?

rangarbus
Explorer

I have data feed into splunk via forwarder.

I want to count the events per for the time picker selected by user. 

 

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1h count 
| timewrap 1d series=exact 
| eval time=strftime(_time, "%H:%M")
| fields - _time
| fields + time, *
| sort by time

 

I have selected last 7 days in date/time picker. Attached is the result I get in splunk.

It shows Nov22 at the end, but ideally i should be Nov23. 

What should i change here to have timewrap per day with exact date on the column title.?

Labels (1)
0 Karma

thambisetty
Super Champion

@rangarbus 

you don't need timewrap for your problem. just use below query:

index=default sourcetype=trans_logs 
host="abcd.rangarbus.com"  source=/logs/transfer_report_*.log
| timechart span=1d count 

if you choose Last 7 days from time picker then Splunk takes -7days from the time you run the search. you may not have complete data of current date and earliest date. 

 

————————————
If this helps, give a like below.
0 Karma

rangarbus
Explorer

Thanks @thambisetty  . If i remove the timewrap 1h , it endup 7 rows(1 per day) with sum of all count for each day.  With timewrap 1h , i expected to have 24 rows with 7 columns each showing specific count.. 

0 Karma