- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I bin over specified time periods in a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I bin over specified time periods in a timechart?
Hi,
I am trying to create a dashboard showing the amount of events split up in working and non-working hours joined by a sparkline showing the trend over the last 7 days in two different charts. For the working hours, specifying (date_hour>6 AND date_hour<18) together with span=1d works quite fine. However, for the non-working hours I would like to have a bin starting at 6pm and ending the next day at 6am. Using span=24h I get a binning starting at 2am.
My search so far looks like:
*"some search"* (date_hour<6 OR date_hour>18) | fillnull value=novalue | timechart count span=24h
Is it possible to fix the starting point of the binning in a timechart?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found a way to get the correct binning by shifting the time for the events after 6pm to the next day. It do not think that it is a nice solution but a working one. Below my new search
some search (date_hour<7 OR date_hour>18) | eval _time=if(date_hour>18, _time+86400,_time)| fillnull value=Null | timechart count span=24h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
your base search date_hour=* | eval Period=if(date_hour<6 OR date_hour>18,"Non-Working Hours","Working Hours") | timechart span=1d count by Period
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try creating two searches, then appending them together and charting them on the same chart. There may be easier ways of doing this and I have not fully tested the method below but you would try something like:
some search (date_hour<6 OR date_hour>18) | eval hours="NON-WORKING" | fillnull value=novalue | timechart count span=24h by hours | append [some search (date_hour>6 OR date_hour<18) | eval hours="WORKING" | fillnull value=novalue | timechart count span=24h by hours] | timechart span=24h sum(count) by hours
This way you will have two series on your graph. One for "NON-WORKING and one for "WORKING".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not want to combine the two charts into a single one. Rather I would like manipulate the binning. Sofar all I get is the number of results from one day (24h), but what I want is to sum the events such that I get all events collectet during the night (18-6 or non-working hours).
For example:
If I have one event at 3am and one at 8pm on the same day, I want them to reside in two different bins.
If I have one event at 8pm and one at the next day at 3am , I want them to reside in a single bin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you mean. I would change your bin span to 12 hours and then try and focus the earliest time of your search in the time range picker to start at either 6pm or 6am on a given day. That might trigger the 12 hour buckets to start at 6am/6pm.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
