Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get a search with "timechart span=1d" to return and display events from the top of the hour?

Vignesh5r
New Member
‎08-15-2016 01:07 PM

I have a search like below.

If i run this search, let's say now, it fetches transaction (as per the display ) not from the TOP of the hour, but from the time I have run the search.

Let's say I run this for the last 7 days.
It takes only from 8/8 15:00 hrs till now and not 8/8 00:00 hrs until now.

I tried 1d and as well as 24 hours, but same thing. How do we have the result fetched from the top of the hour?

index!=_internal "test" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-15-2016 01:27 PM

Try this

index!=_internal "test" earliest="-7@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-15-2016 01:27 PM

Try this

index!=_internal "test" earliest="-7@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count
Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎08-15-2016 01:46 PM

sundareshr typo ? earliest="-7d@d"

https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Specifytimemodifiersinyoursearch

Reply
Solved! Jump to solution

Vignesh5r
New Member
‎08-15-2016 02:01 PM

Thanks Masa!!

0 Karma
Reply
Solved! Jump to solution

Vignesh5r
New Member
‎08-15-2016 02:01 PM

Thanks Sundar. This works. With the correction provided, i am indicatig the final query which worked and took transactions from 00:00 hrs 7 days ago till now. 

index!=_internal "test" earliest="-7@d@d" |  rex "(?i)fieldname1=(?P[^]]+)" | dedup FIELDNAME | timechart span=1d count

Thanks once again Sundar

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...