Sum in Timechart problem

himanish12 · ‎05-07-2020

Hi All,
I m facing an issue while calculating summation in timechart for the span of 5mins in Single valued Visualization.
I wanted to display the sum of the data came in last 5 mins at the end of the window of 5 mins instead at start.
For example,
07/05/2020 07:05 34
07/05/2020 07:06 38
07/05/2020 07:08 10
07/05/2020 07:09 85
07/05/2020 07:10 43
07/05/2020 07:11 12

Here, i want the sum after 7:05 till 7:10 to be displayed at 7:10 instead of 7:05, as 176 at 7:10 instead of 167 at 7:05.
Currently, i m using following query:
index=.... earliest=-24h
| timechart sum(count) as Volume span=5m
| fillnull value=0

Thanks

DalJeanis · ‎05-07-2020

There are several solutions.

1) You could add at the end, either before or after timechart

 | rename COMMENT as "Move all _times five minutes later"
 | eval _time = _time +300

2) Before the timechart, you could do this

| rename COMMENT as "Move all _times to end of period"
| eval _time   = 300* ceiling(_time/300)

3) or this

| rename COMMENT as "Move all _times to end of period"
| eval _time   = _time + 299.999

The difference in result between the three is whether you want events that occur at exactly 3:05 to show up at 3:05 or 3:10. The first will move them to 3:10, whereas the second and third will leave them at 3:05.

Sum in Timechart problem

administration

configuration

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Sum in Timechart problem

administration

configuration

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR