Use of Timewrap command to control the time range

Shashank_87 · ‎02-08-2020

Hi, I am trying to plat a graph of response time over a period of time. I am using timewrap command to plot it for yesterday, day before yesterday and last week.
The problem is I only want it for a certain period of time on the day. For Example between 12:00 PM to 10:00 PM (peak hours).
I am snapping the time in the search itself like this earliest=-7d@d+3h latest=@d but is not working. Please see the graph - on the x-axis it is still plotting from 12:00 AM but what i want is from 12:00 PM.

earliest=-7d@d+3h latest=@d

Any help is appreciated.

to4kawa · ‎02-08-2020

your search
| where relative_time(now(),"-8d@d+12h") <= _time

earliest=-8d@d+3h is 03:00 AM, but timechart starts at 00:00 AM.
I don't know why.

Why not limit the display period?

jkat54 · ‎02-08-2020

Please share the spl queries you've attempted

Shashank_87 · ‎02-08-2020

@jkat54 This is the query -
index=tp_test sourcetype=access_combined_wcookie earliest=-8d@d+3h latest=@d
| timechart span=15m avg(response_time_sec) as AvgResponseTime
| timewrap d
| fields _time,AvgResponseTime_latest_day,AvgResponseTime_1day_before,AvgResponseTime_7days_before

jkat54 · ‎02-08-2020

I think you need a number in front of the units:

| timewrap 1d

Shashank_87 · ‎02-08-2020

I dont think that matters. The problem is I want to compare the results from 12:00 PM to 10:00 PM.
Right now it's coming for full day which i don't want.
I think this is what needs to be modified : earliest=-8d@d+3h latest=@d

jkat54 · ‎02-08-2020

timewrap 10h

12p -10p is 10 hours

drop earliest and latest from your search and update timewrap to 10h

Use of Timewrap command to control the time range

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...