Splunk Search

How to create bins for _time that start and end on specific hours of the day?

Communicator

I am attempting to summarize data by a 12 hour reporting period. The reporting periods start/end at 8.

My search looks like this:

field1=value1 earliest=@w0+8h | transaction maxpause=5m maxspan=2h | bin _time span=12h  | stats sum(duration) by _time 

Unfortunately, it produces results starting at 7 am and ending at 7 pm.

I have tried:

  • changing the value of hours added in earliest : i.e. w0+5h also produces bins that start and end at 7
  • removing the transaction command from the search and putting in a placeholder for duration
  • changing the span in the bin command: span of 1h starts at 8 am, all other bin span values i.e. 2, 4 start at 7 am

It seems like something to do with the bin span as the problem, but I don't know how to fix it.

Unfortunately, I can't provide anything but generic examples of my data since I work in industry.

0 Karma

Esteemed Legend

The simplest way is to force a temporary frame of reference that lets things work as they are now, and then shift back at the end, like this:

field1=value1 earliest=@w0+8h | eval _time = _time - 3600 | transaction maxpause=5m maxspan=2h | bin _time span=12h  | stats sum(duration) by _time | eval _time = _time + 3600
0 Karma