Hi @alexeysharkov ,

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

 Can you share some events which are not in the count?

@ITWhisperer 

Hello i think all messages counted by count . But spreading is incorrect.

I 've expected count spread on every 5 min (span=5m) but it count spread every hour 

I see time in ROW like this

I have search with another sourcetype. _time format is the same/

And similar timechart is OK spreading with span =5 min  work OK

Dontknoooooww 😞

Are you saying that this event 13:02:59 is not counted? Or it is counted in the 13:00:00 - 13:04:59 bin?

You haven't shown an event which is in the wrong time bucket yet!

Ok i get find only one xml event 

search it  index=hcg_app_damu_prod sourcetype=damu_log_dbz_out earliest=-1d | spath | search (log.referenceId=HKBRZA0000389094 AND log.agrementNumber=4303291972)

And then i build timechart 

So event with _time =2025-02-26T14:02:59.970+05:00 

Goes to bucket at 2025-02-26 14:00:00

Im sure my events spread on 5 minutes buckets

I have no Idea why it go to hour bucket's

Again, this event appears to be in the right bucket. Please provide evidence that you have events in the wrong buckets, otherwise, this seems to be a non-problem 😎

Hi @alexeysharkov ,

don't use the table command before timechart and please share some raw data.

Ciao.

Giuseppe

change search without table - useless

Raw data in first message. Just simple XML source

<log><local_time>2025-02-25T17:02:59:979253+05:00</local_time><bik>TSESKZKA</bik><fileName>stmt_4102880506.pdf</fileName><size>238529</size><iin>780515303362</iin><agrementNumber>4102880506</agrementNumber><agrementDate>08.09.2021</agrementDate><referenceId>HKBRZA0000388353</referenceId><bankCode>Jysan bank</bankCode><result>OK</result></log>

<log><local_time>2025-02-25T17:02:59:986891+05:00</local_time><bik>INLMKZKA</bik><fileName>stmt_dbz.pdf</fileName><size>195992</size><iin>710416303014</iin><agrementNumber>4400863944</agrementNumber><agrementDate>17.02.2024</agrementDate><referenceId>HKBRZA0000388352</referenceId><bankCode>Halyk bank</bankCode><result>OK</result></log>

Hi @alexeysharkov ,

I suppose that _time corresponds to the <local_time>.

please another stupid try: rename log.bankCode in log_bankCode before timecharting and then use this field in the timechart.

could you share your events, with also the _time field?

Ciao.

Giuseppe