- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried a few methods shared here to adjust the start/end times of span. Mainly:
1 -
| eval _time=_time-3600
| bin _time span=4h
| eval _time=_time+3600
2 -
| timechart span=4h aligntime=@h-120m
However after testing, neither of these is actually offsetting the span. It only changes the times shown in the resulting table. The values (in my case counts) in each box do not change, just the _time values. Am I doing something wrong?
For example:
| _time | A | B | C |
| 1/28 00:00 | 2 | 1 | 2 |
| 1/28 04:00 | 4 | 2 | 4 |
| 1/28 08:00 | 6 | 3 | 6 |
| 1/28 12:00 | 8 | 4 | 8 |
| 1/28 16:00 | 10 | 5 | 10 |
| _time | A | B | C |
| 1/27 22:00 | 2 | 1 | 2 |
| 1/28 02:00 | 4 | 2 | 4 |
| 1/28 06:00 | 6 | 3 | 6 |
| 1/28 10:00 | 8 | 4 | 8 |
| 1/28 14:00 | 10 | 5 | 10 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With tstats you have to be a bit creative but yes, you can do it. You have to do tstats over finer time division and then aggregate with timechart to a coarser timespan. For example
| tstats prestats=t count where index=something by source _time span=1m
| timechart span=10m aligntime=300 count by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What can I say? The aligntime option works for me. Like
index=firewall earliest=-15m | timechart count span=1m aligntime=30
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it work with tstats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With tstats you have to be a bit creative but yes, you can do it. You have to do tstats over finer time division and then aggregate with timechart to a coarser timespan. For example
| tstats prestats=t count where index=something by source _time span=1m
| timechart span=10m aligntime=300 count by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked great. For anyone else, I verified the totals between the new and old searches just in case with
| addtotals row=f col=t
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You must have heard the phrase, time is of essence. This is especially true in time series such as Splunk. Could you start from the beginning and describe your use case? What is the input, what is the expected output, and what is the logic between input and expected output without SPL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm searching for a method for general use that I can apply as needed. Currently for testing I'm using a simple tstats search counting events by ip, in spans of 4 hours. I need a way to adjust the starting point of the spans but as shown above, it's not actually shifting where it's searching the data. It's just changing the time labels in the table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Always, always describe your use case in terms of data. Without data, it is very difficult for another person to understand what you are trying to achieve. Let me give you a starter.
Suppose your raw data is
| A | B | C | _time |
| 1 | 38 | 299 | 2025-02-04 23:59:00 |
| 2 | 36 | 296 | 2025-02-04 23:56:00 |
| 3 | 34 | 291 | 2025-02-04 23:51:00 |
| 4 | 32 | 284 | 2025-02-04 23:44:00 |
| 5 | 30 | 275 | 2025-02-04 23:35:00 |
| 6 | 28 | 264 | 2025-02-04 23:24:00 |
| 7 | 26 | 251 | 2025-02-04 23:11:00 |
| 8 | 24 | 236 | 2025-02-04 22:56:00 |
| 9 | 22 | 219 | 2025-02-04 22:39:00 |
| 10 | 20 | 200 | 2025-02-04 22:20:00 |
| 11 | 18 | 179 | 2025-02-04 21:59:00 |
| 12 | 16 | 156 | 2025-02-04 21:36:00 |
| 13 | 14 | 131 | 2025-02-04 21:11:00 |
| 14 | 12 | 104 | 2025-02-04 20:44:00 |
| 15 | 10 | 75 | 2025-02-04 20:15:00 |
| 16 | 8 | 44 | 2025-02-04 19:44:00 |
| 17 | 6 | 11 | 2025-02-04 19:11:00 |
| 18 | 4 | -24 | 2025-02-04 18:36:00 |
| 19 | 2 | -61 | 2025-02-04 17:59:00 |
| 20 | 0 | -100 | 2025-02-04 17:20:00 |
| 21 | -2 | -141 | 2025-02-04 16:39:00 |
| 22 | -4 | -184 | 2025-02-04 15:56:00 |
| 23 | -6 | -229 | 2025-02-04 15:11:00 |
| 24 | -8 | -276 | 2025-02-04 14:24:00 |
| 25 | -10 | -325 | 2025-02-04 13:35:00 |
This mock sequence spans roughly three 4-hour intervals. Now, if you bucket the sequence into 4-hour bins,
| bin _time span=4h@h
You get
| A | B | C | _time |
| 1 | 38 | 299 | 2025-02-04 20:00 |
| 2 | 36 | 296 | 2025-02-04 20:00 |
| 3 | 34 | 291 | 2025-02-04 20:00 |
| 4 | 32 | 284 | 2025-02-04 20:00 |
| 5 | 30 | 275 | 2025-02-04 20:00 |
| 6 | 28 | 264 | 2025-02-04 20:00 |
| 7 | 26 | 251 | 2025-02-04 20:00 |
| 8 | 24 | 236 | 2025-02-04 20:00 |
| 9 | 22 | 219 | 2025-02-04 20:00 |
| 10 | 20 | 200 | 2025-02-04 20:00 |
| 11 | 18 | 179 | 2025-02-04 20:00 |
| 12 | 16 | 156 | 2025-02-04 20:00 |
| 13 | 14 | 131 | 2025-02-04 20:00 |
| 14 | 12 | 104 | 2025-02-04 20:00 |
| 15 | 10 | 75 | 2025-02-04 20:00 |
| 16 | 8 | 44 | 2025-02-04 16:00 |
| 17 | 6 | 11 | 2025-02-04 16:00 |
| 18 | 4 | -24 | 2025-02-04 16:00 |
| 19 | 2 | -61 | 2025-02-04 16:00 |
| 20 | 0 | -100 | 2025-02-04 16:00 |
| 21 | -2 | -141 | 2025-02-04 16:00 |
| 22 | -4 | -184 | 2025-02-04 12:00 |
| 23 | -6 | -229 | 2025-02-04 12:00 |
| 24 | -8 | -276 | 2025-02-04 12:00 |
| 25 | -10 | -325 | 2025-02-04 12:00 |
If you do stats/timechart on this, you get what you get.
Now, what do you mean by "adjust the starting point of the spans"? What will the bucketed sequence look like? Give a concrete example using this dataset.
You can reproduce the above sequence using the following code:
| makeresults count=25
| streamstats count as A
| eval _time = strptime("2025-02-05", "%F") - 60 * A * A
| eval B = 40 - 2 * A, C = 300 - A * A
| bin _time span=4h@h
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Refer to the tables in my original post. I'm doing a count of events per each span using tstats. So just how many events were there from 00:00-04:00, 04:00-08:00 etc. But splunk chooses that starting point of 00:00 and sometimes it's a very poor choice so I would like to be able to adjust it. So instead it would be 01:00-05:00, 05:00-09:00 etc. The methods I've found in the forum do not seem to work with tstats. As shown in my second table, the _time labels are adjusted but the values are not recalculated.
