- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I set timechart span=2h count for a day to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could anyone know how to start plotting from midnight when time range is something like earliest=-1d@d latest=@d?
I see some behaviors which I did not expect.
The following query always starts plotting 11PM, not 0AM even I set earliest and latest like this.
earliest=-1d@d latest=@d | timechart span=2h count
_time count
--------------------------- -----
2013-07-18 23:00:00.000 JST 11372
2013-07-19 01:00:00.000 JST 22430
2013-07-19 03:00:00.000 JST 22420
2013-07-19 05:00:00.000 JST 22488
2013-07-19 07:00:00.000 JST 22442
2013-07-19 09:00:00.000 JST 22301
2013-07-19 11:00:00.000 JST 22331
2013-07-19 13:00:00.000 JST 22726
2013-07-19 15:00:00.000 JST 22779
2013-07-19 17:00:00.000 JST 22732
2013-07-19 19:00:00.000 JST 22509
2013-07-19 21:00:00.000 JST 22501
2013-07-19 23:00:00.000 JST 11098
if I change span=3h, then the result starts frmo midnight, which I expect.
earliest=-1d@d latest=@d | timechart span=3h count
_time count
--------------------------- -----
2013-07-19 00:00:00.000 JST 33802
2013-07-19 03:00:00.000 JST 33645
2013-07-19 06:00:00.000 JST 33705
2013-07-19 09:00:00.000 JST 33399
2013-07-19 12:00:00.000 JST 33959
2013-07-19 15:00:00.000 JST 34209
2013-07-19 18:00:00.000 JST 33811
2013-07-19 21:00:00.000 JST 33599
Now, if I set span=4h, then the result starts from 9PM
earliest=-1d@d latest=@d | timechart span=4h count
_time count
--------------------------- -----
2013-07-18 21:00:00.000 JST 11372
2013-07-19 01:00:00.000 JST 44850
2013-07-19 05:00:00.000 JST 44930
2013-07-19 09:00:00.000 JST 44632
2013-07-19 13:00:00.000 JST 45505
2013-07-19 17:00:00.000 JST 45241
2013-07-19 21:00:00.000 JST 33599
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You seem to have a disparity between timezones on your reporting machine and in the indexes. Looks like the timestamp in your indexing is then being formatted as one hour west when you report on it.
I have just been investigating this in the UK where we are currently in British Summer Time (i.e. UTC+1) and I have the same problem. Generating a report which should produce results between (local) midnight and midnight yesterday produces the right search results, but when charted with a timespan the range boundaries seem to be related to the native system time (i.e. starting at midnight UTC not the current presentation time). It would seem to be a bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You seem to have a disparity between timezones on your reporting machine and in the indexes. Looks like the timestamp in your indexing is then being formatted as one hour west when you report on it.
I have just been investigating this in the UK where we are currently in British Summer Time (i.e. UTC+1) and I have the same problem. Generating a report which should produce results between (local) midnight and midnight yesterday produces the right search results, but when charted with a timespan the range boundaries seem to be related to the native system time (i.e. starting at midnight UTC not the current presentation time). It would seem to be a bug.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your comment
Now I should ask Splunk Support team
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Melonman,
Did you receive any news from splunk regarding this ?
I have also the same issue in splunk latest version. When i do timechart span for 2h it always starts from 23:00-01:00;
Thanks in Advance,
Vinay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I indexed a dataset with no timestamp (TZ=local) in a locally installed Splunk, and did the same thing. I guess timezone should match among timestamp in data, Splunk/OS and Browser I am running with. Still timechart behaves the same. Depending on the span, timechart snaps to 00:00 or some offsets. Specifically, with the latest and earliest is set to a day(-1d@d to @d), timechart starts from 0:00 only in case of span=1h,3h,7h,21h. (for a day with span more than a few hours does not seem to have much meaning, but timechart behaves diffetently depending on the combination of span and time range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Specifytimemodifiersinyoursearch
"More about snap-to-time"
i think because of this property it's rounding off to the nearest time period.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
