Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

After eval _time, time chart is not considering updated _time

AKG1_old1
Builder
‎11-22-2017 05:57 AM

Hi,

I am updating the _time in my search query and passing that to Timechart.

My requirement is that timechart should be created only for specific time. In this example I am removing all data which is older than 4 hrs. So I want timechart only for last 4 hrs. Instead of its creating the timechart based on earliest and latest time

alt text

alt text

Query:

base search | eval earliest_time = if(len(replace("-4h@h","\d",""))=0,"-4h@h",relative_time(now(),"-4h@h")) | eval latest_time = if(len(replace("now","\d",""))=0,"now",now()) | eval _time = if(_time <= earliest_time,earliest_time,_time) | eval StartEpoc = if(StartEpoc <= earliest_time,earliest_time,StartEpoc) | eval EndEpoc = if(EndEpoc >= latest_time,latest_time,EndEpoc) | where EndEpoc >= StartEpoc |  eval Duration = EndEpoc - StartEpoc | eval 1=1 | timechart bins=2000 max(Duration) BY Activity

earlier I had the similar problem but in that _time was not updated in epoch format. but in this case _time is already in epoch format.
related post

I guess, Timechart is created based on earliest and latest time not on _time column. Is there way so timechart is created based on updated _time not by earliest and latest time.

Preview file
99 KB
Preview file
74 KB
Reply

AKG1_old1
Builder
‎11-22-2017 07:52 AM

alt text
@micahkemp : thanks for reply. Now its creating timechart for required time duration but time is unreadable.

I also tried with fixedrange=false which is slightly better than cont=false but not perfect.

Reply

micahkemp
Champion
‎11-22-2017 07:06 AM

Try cont=false in timechart:

base search | eval earliest_time = if(len(replace("-4h@h","\d",""))=0,"-4h@h",relative_time(now(),"-4h@h")) | eval latest_time = if(len(replace("now","\d",""))=0,"now",now()) | eval _time = if(_time <= earliest_time,earliest_time,_time) | eval StartEpoc = if(StartEpoc <= earliest_time,earliest_time,StartEpoc) | eval EndEpoc = if(EndEpoc >= latest_time,latest_time,EndEpoc) | where EndEpoc >= StartEpoc |  eval Duration = EndEpoc - StartEpoc | eval 1=1 | timechart bins=2000 max(Duration) BY Activity

cont
    Syntax: cont=<bool>
    Description: Specifies whether the chart is continuous or not. If set to true, the Search application fills in the time gaps.
    Default: true
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...