Splunk Search
Highlighted

How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

Hello!

I've been playing around with the timechart command and spanning, however, there is an issue I'm having when I'm trying to use it to match a chart I'm defining with the last 7 days timespan.

I'm trying to have timechart span in such as way that its current period is the same as the last 7 days command, while it is able to go back X number of these periods to build a trend off of. I've been unable to find a combination of span variables and time offsets that matches the time snap of the last 7 days window.

Has anyone with experience doing something like this have a solution that allows you to more precisely define the time snapping?

Edit:
Apologies for the difficulty in understanding this question, I've included the below to help explain what I am getting at:

When I use timechart count span=7d, I receive the following output:
7 Day Span

However, when I use time chart count span=1d, I receive the following output:
1 Day Span

I've marked above in Red the dates which makeup 2016-06-04 in output with the larger span, and so on. What I'm looking for is a way to reverse that calculation, so that instead of starting at the 'earliest' date and making 7 day spans, I'd like it to start at the 'latest' date and make the spans going backwards.

I hope this has made it more clear!

Second edit:

I've attempted to do the double binning solution MuS provided, however the bins are still being created from earliest to latest, instead of latest to earliest which is my desired outcome.

Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Esteemed Legend

What is wrong with span=7d?

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

Apologies but I've read your question twice but I still don't understand it... 😄 Can you maybe add screenshots and search commands and earliest/latests etc to explain what you get and what you want again?

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

I've updated the original post with some clarifications I hope should help.

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

Thanks that's much clearer! Interesting question.

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

SplunkTrust
SplunkTrust

Hi goodsellt,

Splunk by default shows the earliest events at top like in this run everywhere command.
If you want to reverse the order simply add a |reverse or | sort - _time at the end of your search:

alt text

Hope this helps ...

cheers, MuS

Update:

Finally I understand what your question is all about 😉 So, if you want to such kind of time spanning, you must do some double bucketing of _time.

First you will need to get your event by day (For this run everywhere example I used hours but this can be easily changed to days)

 index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h | bin _time span=1h | stats sum(kb) AS perHour by _time

This will give you results per hour, note the latest in the base search - this is how to tell Splunk where to start the second _time bucketing. To get the second bucketing starting with the oldest event, we have to use reverse (not very efficient I know) and use the time chart against this event set

| reverse | timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total

This time we will use the span=7h to group events over 7 hours.

The final search looks like this:

index=_internal kb=* kbps=* earliest=-28h@h latest=-1h@h 
| bin _time span=1h 
| stats sum(kb) AS perHour by _time 
| reverse 
| timechart span=7h values(perHour) AS val_perHour sum(perHour) AS Total

And the result is this:

alt text

If you want to take this to the next level and have some kind of dynamic span based on the time range picker, check out this answer https://answers.splunk.com/answers/390574/how-to-create-a-search-that-shows-a-trending-value.html

cheers, MuS

Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

Thanks for the response!

However, this only changes the order it is displayed in, versus my desired goal of reversing the order the spans are generated and calculated.

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

SplunkTrust
SplunkTrust

aaaah, now I get it 🙂 took me some time to understand it but I think I have the answer somewhere .... pls wait.

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

SplunkTrust
SplunkTrust

Update ping, see my answer to get some ideas on how this can be done - cheers, MuS

0 Karma
Highlighted

Re: How do I modify the span for timechart to match a chart I'm defining with a time range of "last 7 days"?

Contributor

Hello! I tried out the solution you provided a few ways, however it does not appear that double binning the time affects the starting points for any of the bins. I'm still continuing to have the bins only form from earliest to latest.

0 Karma