Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sum in Timechart problem

himanish12
New Member
‎05-07-2020 04:15 AM

Hi All,
I m facing an issue while calculating summation in timechart for the span of 5mins in Single valued Visualization.
I wanted to display the sum of the data came in last 5 mins at the end of the window of 5 mins instead at start.
For example,
07/05/2020 07:05 34
07/05/2020 07:06 38
07/05/2020 07:08 10
07/05/2020 07:09 85
07/05/2020 07:10 43
07/05/2020 07:11 12

Here, i want the sum after 7:05 till 7:10 to be displayed at 7:10 instead of 7:05, as 176 at 7:10 instead of 167 at 7:05.
Currently, i m using following query:
index=.... earliest=-24h
| timechart sum(count) as Volume span=5m
| fillnull value=0

Thanks

Labels (2)
Labels
0 Karma
Reply

DalJeanis
Legend
‎05-07-2020 08:47 AM

There are several solutions.

1) You could add at the end, either before or after timechart 

 | rename COMMENT as "Move all _times five minutes later"
 | eval _time = _time +300

2) Before the timechart, you could do this

| rename COMMENT as "Move all _times to end of period"
| eval _time   = 300* ceiling(_time/300)

3) or this 

| rename COMMENT as "Move all _times to end of period"
| eval _time   = _time + 299.999

The difference in result between the three is whether you want events that occur at exactly 3:05 to show up at 3:05 or 3:10. The first will move them to 3:10, whereas the second and third will leave them at 3:05.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...