Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to adjust the time in a timechart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a timechart which displays the results for the past 7 days. But now i don't want the Splunk to display the results for 24 hours of the each day in last 7 days. Instead of that, I just want to display the timechart from evening 7'o clock to morning 7'o clock for the last 7 days.
Is this scenario possible in Splunk? If yes, how can we do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this please:
your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H")
| where myHour>=19 OR myHour<7
| complete your query to draw the timechart
OR adding per suggestion below:
your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this please:
your Query that returns data of last seven days
|eval myHour=strftime(_time, "%H")
| where myHour>=19 OR myHour<7
| complete your query to draw the timechart
OR adding per suggestion below:
your Query that returns data of last seven days
| where date_hour>=19 OR date_hour<7
| complete your query to draw the timechart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could also just use the date_hour field in splunk, that is already extracted, instead of creating the myHour field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @Iquinn Let me update that in the query as per suggestions. Awesome stuff.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be good to read up on some cautionary advice by search gurus @lguinn and @sideview on this post:
https://answers.splunk.com/answers/387130/why-is-date-hour-inconsistent-with-h.html#answer-387134
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, so sounds like extracting the %H using strftime is the way to go as suggested in the read and as was in the initial answer. Thanks @ppablo_splunk
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
