Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use of Timewrap command to control the time range

Shashank_87
Explorer
‎02-08-2020 04:48 AM

Hi, I am trying to plat a graph of response time over a period of time. I am using timewrap command to plot it for yesterday, day before yesterday and last week.
The problem is I only want it for a certain period of time on the day. For Example between 12:00 PM to 10:00 PM (peak hours).
I am snapping the time in the search itself like this earliest=-7d@d+3h latest=@d but is not working. Please see the graph - on the x-axis it is still plotting from 12:00 AM but what i want is from 12:00 PM.

earliest=-7d@d+3h latest=@d

Any help is appreciated.alt text

Preview file
47 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-08-2020 12:59 PM 
your search
| where relative_time(now(),"-8d@d+12h") <= _time

earliest=-8d@d+3h is 03:00 AM, but timechart starts at 00:00 AM.
I don't know why.

Why not limit the display period?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-08-2020 04:59 AM

Please share the spl queries you've attempted

0 Karma
Reply

Shashank_87
Explorer
‎02-08-2020 05:03 AM

@jkat54 This is the query -
index=tp_test sourcetype=access_combined_wcookie earliest=-8d@d+3h latest=@d
| timechart span=15m avg(response_time_sec) as AvgResponseTime
| timewrap d
| fields _time,AvgResponseTime_latest_day,AvgResponseTime_1day_before,AvgResponseTime_7days_before

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-08-2020 05:44 AM

I think you need a number in front of the units:

| timewrap 1d

0 Karma
Reply

Shashank_87
Explorer
‎02-08-2020 05:50 AM

I dont think that matters. The problem is I want to compare the results from 12:00 PM to 10:00 PM.
Right now it's coming for full day which i don't want.
I think this is what needs to be modified : earliest=-8d@d+3h latest=@d

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-08-2020 07:39 AM

timewrap 10h

12p -10p is 10 hours

drop earliest and latest from your search and update timewrap to 10h

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...