Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sum in Timechart problem

himanish12
New Member
‎05-07-2020 04:15 AM

Hi All,
I m facing an issue while calculating summation in timechart for the span of 5mins in Single valued Visualization.
I wanted to display the sum of the data came in last 5 mins at the end of the window of 5 mins instead at start.
For example,
07/05/2020 07:05 34
07/05/2020 07:06 38
07/05/2020 07:08 10
07/05/2020 07:09 85
07/05/2020 07:10 43
07/05/2020 07:11 12

Here, i want the sum after 7:05 till 7:10 to be displayed at 7:10 instead of 7:05, as 176 at 7:10 instead of 167 at 7:05.
Currently, i m using following query:
index=.... earliest=-24h
| timechart sum(count) as Volume span=5m
| fillnull value=0

Thanks

Labels (2)
Labels
0 Karma
Reply

DalJeanis
Legend
‎05-07-2020 08:47 AM

There are several solutions.

1) You could add at the end, either before or after timechart 

 | rename COMMENT as "Move all _times five minutes later"
 | eval _time = _time +300

2) Before the timechart, you could do this

| rename COMMENT as "Move all _times to end of period"
| eval _time   = 300* ceiling(_time/300)

3) or this 

| rename COMMENT as "Move all _times to end of period"
| eval _time   = _time + 299.999

The difference in result between the three is whether you want events that occur at exactly 3:05 to show up at 3:05 or 3:10. The first will move them to 3:10, whereas the second and third will leave them at 3:05.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...