Splunk Search

Display last 8 hours from now () ..?

harishalipaka
Motivator

Hi Splunkers,

i want to display the last 8 hours of data with 1 hour different without any index or kv table .like makeresults or gentimes
Eg:- suppose now time is "2018-09-14 13:31:42" `

|makeresults |eval current=now() | timechart span=1h count as duration.

i want to display like below

time
13:30
12:30
11:30
10:30
09:30
08:30
07:30
06:30

ThanQ in advance :disappointed_face:

Thanks
Harish
Tags (1)
0 Karma

niketn
Legend

@harishalipaka, try the following run anywhere example based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level=ERROR
| timechart span=1h count as Error 
| append
    [| makeresults 
    | addinfo 
    | eval Time=info_max_time.",".info_min_time 
    | fields Time 
    | makemv Time delim="," 
    | mvexpand Time 
    | rename Time as _time 
    | timechart span=1h count(somefieldthatdoesnotexist) as Error] 
| dedup _time

The sub-query inside append creates dummy rows for each hour provided the Time Range selected for query is Last 8 hours i.e. earliest=-8h and latest=now. Final dedup returns non-zero counts returned by main search if they are present or else displays the 0 count from second search for last 8 hours.

You can test the second condition by changing base search from log_level=ERROR to log_level=ERROR1 which does not exist. Instead of showing No results Found it will show 0 count for last 8 hours.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
Revered Legend

Try like this

| gentimes start=-1 | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count

OR

| makeresults | eval time=mvrange(relative_time(now(),"-8h"), now(),1800) | table time | mvexpand time | rename time as _time | timechart span=30m count

renjith_nair
Legend

@harishalipaka,

Does it work for you?

| makeresults count=8|eval diff=1|accum diff as diff|eval diff=(diff-1)*3600
|eval _time=strftime(_time-diff,"%H:%M")|fields - diff
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

niketn
Legend

@harishalipaka do u wnt to use this in search or dashboard?
Also what is the logic for picking 30 min instead of 31 if the current time is 31 minute?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...