Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display timechart as area chart over last 4 hours with span of 1 hour?

ateterine
Path Finder
‎06-16-2014 05:01 PM

I will try my best to formulate my question as I couldn't find anything similar asked already.

I am trying to display timechart as AreaChart over the last 4hrs with a span of 1h

source="*searchstring*" index=main | timechart span=1h dc(user_id) as "Users"

At a time this posted, my time was 4:50pm. I am applying custom time of: -4h@h to @h

Very simple task and pretty straight forward.

The challenge is that my chart has blank space on the left edge of it and missing information from the 4:00pm.

Any help will be appreciated. (I cannot upload screenshot, but I hope my explanation makes sense)

Tags (1)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-18-2014 10:13 AM

If its just about visualization for you, you can try this little workaround. The data magnitude will be same, but it will get shown till the last minute.

source="*searchstring*" index=main earliest=-4h@h latest=@h | eventstats dc(user_id) as Users by date_hour| timechart span=1m max(Users) as "Users"
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-18-2014 12:37 PM

Another workaround will be summarize by end hour i.e. instead of default timechart where summary 8:00 AM to 9:00 AM summary will be logged with time 8:00 AM, show data as 9:00 AM (for 8:00 AM to 9:00 AM). One problem with this is that the chart will start from 0 and then increase gradually.

0 Karma
Reply

ateterine
Path Finder
‎06-18-2014 11:59 AM

Thanks @somesoni2, but it will display timespan 1minute, but it is not what I am trying to do.
I am trying to show X number of hours back data over the area chart of X number of points. Meaning that last 8 hours area chart will have 8 data points on the graph, which cuts off the last result regardless.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-16-2014 11:33 PM

Hi ateterine,

this because of your time range modifiers you did use, the @h as latest will snap to 03:00pm in your case not 04:00pm. If you want to snap to the current hour you should use this +h@h instead.

This can be tested in the UI time range picker, in the Advanced section also the docs have some good examples about Specify time modifiers in your search.

Also, you should check the chart graph formatting how it will display 0 or no results; as gap, as zero or connect

hope this helps ...

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-17-2014 10:42 PM

Okay, this is not a problem of the timechart command, it is related to the chart graph and therefore cannot be fixed by any command. Have a look at the docs about AdvChartingConfig-LayoutData maybe you will find a hint in there.

0 Karma
Reply

ateterine
Path Finder
‎06-17-2014 01:30 PM

Thanks @somesoni2 and @MuS, I understand the issue behind not displaying the data for 9:00am. But the real issue I am facing is that no matter how you break down the timespan, it always seems that area chart is missing last value (simply in representation of the data on the screen)
What I'm trying to accomplish is to have the chart go all the way from left-most edge to the right-most edge. But I cannot get it to go to the right-most edge.
Thanks

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-17-2014 12:02 PM

Like @somesoni2 wrote, this is because the current hour will have not events. If you blank out the latest time you will get results in the timechart.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-17-2014 10:41 AM

I think that's the default behaviour of the charts. When you do the timechart, you would get 4 rows but the timestamp will be start of the hour. E.g. if its 9:10 AM, -h@h and @h will get data from 5:00 AM to 9:00 AM but the timestamp will be like 1) 5:00 AM 2)6:00 AM 3) 7:00 AM and 4) 8:00 AM, hence the charts will be shown till 8:00 AM x-axis, and feel like data missing for 9:00 AM.

Reply

ateterine
Path Finder
‎06-17-2014 09:11 AM

Thank you, that brings back the current hour stats, but still has issue of having empty space on the right-hand side.
It is 9:10am as I write this and the issue is when I use +h@h, Time Selector displays 6/17/14 10:00:00.000 AM, but there is no content at 10am, obviously. If I use just @h, it selects 6/17/14 09:00:00.000 AM but results for 9am are not showing up. I hope I can upload the screenshot to display the behaviour.
Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...