Hi,
I am updating the _time in my search query and passing that to Timechart.
My requirement is that timechart should be created only for specific time. In this example I am removing all data which is older than 4 hrs. So I want timechart only for last 4 hrs. Instead of its creating the timechart based on earliest and latest time
Query:
base search | eval earliest_time = if(len(replace("-4h@h","\d",""))=0,"-4h@h",relative_time(now(),"-4h@h")) | eval latest_time = if(len(replace("now","\d",""))=0,"now",now()) | eval _time = if(_time <= earliest_time,earliest_time,_time) | eval StartEpoc = if(StartEpoc <= earliest_time,earliest_time,StartEpoc) | eval EndEpoc = if(EndEpoc >= latest_time,latest_time,EndEpoc) | where EndEpoc >= StartEpoc | eval Duration = EndEpoc - StartEpoc | eval 1=1 | timechart bins=2000 max(Duration) BY Activity
earlier I had the similar problem but in that _time was not updated in epoch format. but in this case _time is already in epoch format.
related post
I guess, Timechart is created based on earliest and latest time not on _time column. Is there way so timechart is created based on updated _time not by earliest and latest time.
@micahkemp : thanks for reply. Now its creating timechart for required time duration but time is unreadable.
I also tried with fixedrange=false which is slightly better than cont=false but not perfect.
Try cont=false
in timechart:
base search | eval earliest_time = if(len(replace("-4h@h","\d",""))=0,"-4h@h",relative_time(now(),"-4h@h")) | eval latest_time = if(len(replace("now","\d",""))=0,"now",now()) | eval _time = if(_time <= earliest_time,earliest_time,_time) | eval StartEpoc = if(StartEpoc <= earliest_time,earliest_time,StartEpoc) | eval EndEpoc = if(EndEpoc >= latest_time,latest_time,EndEpoc) | where EndEpoc >= StartEpoc | eval Duration = EndEpoc - StartEpoc | eval 1=1 | timechart bins=2000 max(Duration) BY Activity
cont
Syntax: cont=<bool>
Description: Specifies whether the chart is continuous or not. If set to true, the Search application fills in the time gaps.
Default: true