Splunk Dev

Timechart - map data over same interval everyday

Path Finder


I have a requirement to timechart data over the same time everyday for the past one month.

E.g.: Maximum responseTime between 9 and 10 everyday for the past month.

Query to construct timechart is:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 | timechart max(responseTime)

How do I modify this search such that the timechart displays values only between 9 and 10 (and not the whole day) everyday?
Sample chart given below.


alt text

Tags (1)
0 Karma

Super Champion

i see you're already limiting date_hour=9 so the data you're pulling is only from the 9AM hour (9-10 AM) every day, and not the whole day. Timechart will display the dates on the axis, not the date/hour. Timechart, also, will make the time continuous, if you don't specify a span.

|timechart span=1d max(responseTime)

will group it into one day buckets, though it won't display the hour.

Path Finder


I would like to display the time and value on the graph.
For instance, if the maximum duration for Oct 5 is 2214 at 09:30:51.225, I would like the data point to read (Oct 5 09:30:51 - 2214).

The idea is I want to study what is the trend of responseTime everyday. I am supposed to reduce it below 1000 ms, and I need to know how much of the transactions are taking more than 1000 ms.

0 Karma

Super Champion

try this, instead:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
|timechart max(responseTime) span=5m cont=f
|timewrap 1d

change the span in timechart to your liking, i put it to bucket every 5 minutes.

you can remove the timewrap if you want. that'll display a line per day, which might get hard to read.

0 Karma


If you really WANT the hour displayed, you could try something like this...

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
| bin _time span=1h
| timechart span=1h max(responseTime) cont=f

But the axis labels in timechart are a bit unpredictable.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...