I've been playing around with the
timechart command and spanning, however, there is an issue I'm having when I'm trying to use it to match a chart I'm defining with the
last 7 days timespan.
I'm trying to have timechart span in such as way that its current period is the same as the
last 7 days command, while it is able to go back X number of these periods to build a trend off of. I've been unable to find a combination of span variables and time offsets that matches the time snap of the
last 7 days window.
Has anyone with experience doing something like this have a solution that allows you to more precisely define the time snapping?
Apologies for the difficulty in understanding this question, I've included the below to help explain what I am getting at:
When I use
timechart count span=7d, I receive the following output:
However, when I use
time chart count span=1d, I receive the following output:
I've marked above in Red the dates which makeup 2016-06-04 in output with the larger span, and so on. What I'm looking for is a way to reverse that calculation, so that instead of starting at the 'earliest' date and making 7 day spans, I'd like it to start at the 'latest' date and make the spans going backwards.
I hope this has made it more clear!
I've attempted to do the double binning solution MuS provided, however the bins are still being created from earliest to latest, instead of latest to earliest which is my desired outcome.
Apologies but I've read your question twice but I still don't understand it... 😄 Can you maybe add screenshots and search commands and earliest/latests etc to explain what you get and what you want again?
I've updated the original post with some clarifications I hope should help.
Splunk by default shows the earliest events at top like in this run everywhere command.
If you want to reverse the order simply add a
| sort - _time at the end of your search:
Hope this helps ...
Finally I understand what your question is all about 😉 So, if you want to such kind of time spanning, you must do some double bucketing of
First you will need to get your event by day (For this run everywhere example I used hours but this can be easily changed to days)
index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h | bin _time span=1h | stats sum(kb) AS perHour by _time
This will give you results per hour, note the
latest in the base search - this is how to tell Splunk where to start the second
_time bucketing. To get the second bucketing starting with the oldest event, we have to use
reverse (not very efficient I know) and use the time chart against this event set
| reverse | timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total
This time we will use the
span=7h to group events over 7 hours.
The final search looks like this:
index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h | bin _time span=1h | stats sum(kb) AS perHour by _time | reverse | timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total
And the result is this:
If you want to take this to the next level and have some kind of dynamic
span based on the time range picker, check out this answer https://answers.splunk.com/answers/390574/how-to-create-a-search-that-shows-a-trending-value.html
Thanks for the response!
However, this only changes the order it is displayed in, versus my desired goal of reversing the order the spans are generated and calculated.
aaaah, now I get it 🙂 took me some time to understand it but I think I have the answer somewhere .... pls wait.
Update ping, see my answer to get some ideas on how this can be done - cheers, MuS
Hello! I tried out the solution you provided a few ways, however it does not appear that double binning the time affects the starting points for any of the bins. I'm still continuing to have the bins only form from earliest to latest.