Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I create a time chart grouping the data per 5 minutes, but showing every minute?

ocnarb
New Member
‎12-20-2019 02:35 AM

Example:

_time---value---group
00:01------2---------2
00:02------3---------5
00:03------4---------9
00:04------2---------11
00:05------3---------14
00:06------1---------13
00:07------2---------12
00:08------1---------9
00:09------1---------8
00:10------2---------7

0 Karma
Reply

to4kawa
Ultra Champion
‎12-20-2019 01:26 PM 
| makeresults 
| eval _raw="_time,value,group
00:01,2,2
00:02,3,5
00:03,4,9
00:04,2,11
00:05,3,14
00:06,1,13
00:07,2,12
00:08,1,9
00:09,1,8
00:10,2,7"
| multikv
| eval _time=strptime(time,"%H:%M")
| table _time,value,group
| rename COMMENT as "this is sample data you provided"
| rename COMMENT as "From now on, I will verify your desired behavior."
| timechart cont=f span=5m sum(value) as value by group

Hi, @ocnarb

I did it using multiple searches of 5 minutes and joining them per minute,

If you provide your query, it can be improved.
maybe , you do not need to join because it is slow.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2019 08:09 AM

When timechart groups events by time, the specific time information is lost so it's not possible to show every minute. The same is true of the bin command.

If you explain your use case, there may be another way.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ocnarb
New Member
‎12-20-2019 09:14 AM

Thanks rich.

I did it using multiple searches of 5 minutes and joining them per minute, it was messy and super slow, but it worked. I did something like this:

1st search: from now to -5m
2nd search: from -1m to -6m
3rd search: from -2m to -4m
4th search: from -3m to -8m
...

I thought there was a better and faster way of doing it via timechart.

I will adjust the thresholds and use a timechart with a span of 1 minute.

Thanks again for the attention.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-20-2019 03:15 PM

I expect you could use a couple of streamstats commands with two different time windows to generate aggregations without losing the data as you would with timechart, stats or bin.

Not sure what your 5 minute grouping is expected to look like though, as I don't understand your group example above.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...