Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sum in Timechart problem

himanish12
New Member
‎05-07-2020 04:15 AM

Hi All,
I m facing an issue while calculating summation in timechart for the span of 5mins in Single valued Visualization.
I wanted to display the sum of the data came in last 5 mins at the end of the window of 5 mins instead at start.
For example,
07/05/2020 07:05 34
07/05/2020 07:06 38
07/05/2020 07:08 10
07/05/2020 07:09 85
07/05/2020 07:10 43
07/05/2020 07:11 12

Here, i want the sum after 7:05 till 7:10 to be displayed at 7:10 instead of 7:05, as 176 at 7:10 instead of 167 at 7:05.
Currently, i m using following query:
index=.... earliest=-24h
| timechart sum(count) as Volume span=5m
| fillnull value=0

Thanks

Labels (2)
Labels
0 Karma
Reply

DalJeanis
Legend
‎05-07-2020 08:47 AM

There are several solutions.

1) You could add at the end, either before or after timechart 

 | rename COMMENT as "Move all _times five minutes later"
 | eval _time = _time +300

2) Before the timechart, you could do this

| rename COMMENT as "Move all _times to end of period"
| eval _time   = 300* ceiling(_time/300)

3) or this 

| rename COMMENT as "Move all _times to end of period"
| eval _time   = _time + 299.999

The difference in result between the three is whether you want events that occur at exactly 3:05 to show up at 3:05 or 3:10. The first will move them to 3:10, whereas the second and third will leave them at 3:05.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...