Re: Snap-to-time in timechart

rsuryasaputra1 · ‎11-14-2018

Hello

I'm confused about this behaviour... the search works if the span is just weekly; but fails when putting w1.

| timechart span=w@w1 dc(serial)

returns with error
Streamed search execute failed because: Error in 'bin' command: The value for option span (w@w1) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

Splunk Enterprise 6.6.3.

Thank you in advanced for your help and insights!

martin_mueller · ‎11-19-2018

The searches you posted as broken are working for me. Have you considered upgrading, just in case 6.6.3 might have a bug around this feature? It was new for 6.6.

martin_mueller · ‎11-15-2018

Do post your entire search.

rsuryasaputra1 · ‎11-18-2018

Thanks for your responses so far. I'm querying summarised index here.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w dc(serial) as "# of TVs linked" <== works, last 30 days (i.e. from 20-Oct) buckets to weeks starting from Saturday.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w@w dc(serial) as "# of TVs linked" <== Streamed search execute failed because: Error in 'bin' command: The value for option span (1w@w) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

index="tv" sourcetype="stash" group="voice_analytics" source="voice_googleid_linked" | timechart span=1w@w3 dc(serial) as "# of TVs linked" <== Streamed search execute failed because: Error in 'bin' command: The value for option span (1w@w3) is invalid. When span is expressed using a sub-second unit (ds, cs, ms, us), the span value needs to be < 1 second, and 1 second must be evenly divisible by the span value.

echalex · ‎11-15-2018

The error message is misleading, in my view. I tried this in Splunk 6.5.9 and received the same error message. However, the difference is that Splunk 6.5.9 doesn't have the snap-to as a feature for timechart, but according to the doc 6.6.3, should have it.

(Original answer converted to a comment and edited entirely. I assumed that 1w@w would be the correct snap-to in 6.6.3, but I was corrected.)

martin_mueller · ‎11-15-2018

@w1 is correct, snapping to Monday.

The integer before the time unit is optional, and documented as such by being in square brackets.

echalex · ‎11-15-2018

Right... I didn't check so far in the documentation and it's a new construct/feature to me.

martin_mueller · ‎11-14-2018

Works fine in my Splunk, but I'm on 7.2

HiroshiSatoh · ‎11-14-2018

7.0.3 and 6.6.1 worked.

Snap-to-time in timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation