Splunk Dev

Timechart - map data over same interval everyday

Path Finder


I have a requirement to timechart data over the same time everyday for the past one month.

E.g.: Maximum responseTime between 9 and 10 everyday for the past month.

Query to construct timechart is:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 | timechart max(responseTime)

How do I modify this search such that the timechart displays values only between 9 and 10 (and not the whole day) everyday?
Sample chart given below.


alt text

Tags (1)
0 Karma

Super Champion

i see you're already limiting date_hour=9 so the data you're pulling is only from the 9AM hour (9-10 AM) every day, and not the whole day. Timechart will display the dates on the axis, not the date/hour. Timechart, also, will make the time continuous, if you don't specify a span.

|timechart span=1d max(responseTime)

will group it into one day buckets, though it won't display the hour.

Path Finder


I would like to display the time and value on the graph.
For instance, if the maximum duration for Oct 5 is 2214 at 09:30:51.225, I would like the data point to read (Oct 5 09:30:51 - 2214).

The idea is I want to study what is the trend of responseTime everyday. I am supposed to reduce it below 1000 ms, and I need to know how much of the transactions are taking more than 1000 ms.

0 Karma

Super Champion

try this, instead:

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
|timechart max(responseTime) span=5m cont=f
|timewrap 1d

change the span in timechart to your liking, i put it to bucket every 5 minutes.

you can remove the timewrap if you want. that'll display a line per day, which might get hard to read.

0 Karma


If you really WANT the hour displayed, you could try something like this...

host=host1-vm1-dev.abp.com OR host=host2-vm1-dev.abp.com date_hour=9 
| bin _time span=1h
| timechart span=1h max(responseTime) cont=f

But the axis labels in timechart are a bit unpredictable.

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...