Splunk Enterprise
Highlighted

Time slicing issue

New Member

I have below query and it should gives result of time filter of last four hours (or) last 24 hours.

|makeresults |bucket _time span=1h|stats count by _time

But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.

Kindly help us.

Labels (1)
0 Karma
Highlighted

Re: Time slicing issue

SplunkTrust
SplunkTrust

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: Time slicing issue

New Member

Can you please let us know how to handle the above query getting each event with respect to span limit

0 Karma
Highlighted

Re: Time slicing issue

SplunkTrust
SplunkTrust

The current query does nothing. Please describe the real problem you are trying to solve.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Time slicing issue

New Member

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin time span=1h | fields _time | join max=0 [search index="uswestprodpowerplatform" sourcetype="spark:metric" metricName="HRTBTLHISTMETRICDD" host="emr-prod-distributor" | spath output=osmzoneid path=dimensions{2}.value | dedup osmzoneid | fields osmzoneid] | table time, osmzone_id

Kindly help us.

0 Karma
Highlighted

Re: Time slicing issue

SplunkTrust
SplunkTrust

The timechart command will fill in missing time frames. Try

index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" 
| spath output=osm_zone_id path=dimensions{2}.value 
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Time slicing issue

New Member

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin time span=1h | fields _time | join max=0 [search index="uswestprodpowerplatform" sourcetype="spark:metric" metricName="HRTBTLHISTMETRICDD" host="emr-prod-distributor" | spath output=osmzoneid path=dimensions{2}.value | dedup osmzoneid | fields osmzoneid] | table time, osmzone_id

Kindly help us.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.