Solved: How to get the last hour of events but also remove...

michael_wong · ‎03-29-2022

Hello,

When I build the dashboard, I can see the last hour always not accuracy because the latest hour date is incomplete, take below as example. Assume that every hour we have 1000 events, but if I run the search in 03:30, it will got 500 events only, because another 500 events will come in next half hours.

However, if you use timechart to show last 4 hours, it will show the table like below. Is there a way I can show O'clock, but remove any data after the O'clock?

_time events

01:00 1000

02:00 1000

03:00 1000

04:00 500

Table

_time Events

2022-03-30 00:00	1000
2022-03-30 01:00	1000
2022-03-30 02:00	1000
2022-03-30 03:00	1000
2022-03-30 04:00	500

bowesmana · ‎03-30-2022

Set the time picker to Advanced and set the earliest/latest as needed -4h@h and @h

View solution in original post

bowesmana · ‎03-29-2022

You can control the time window of your search, e.g. if you set the earliest to be -4h@h and the latest to be @h , e.g.

earliest=-4h@h latest=@h

then you will get the previous 4 hours up to the last completed hour

michael_wong · ‎03-30-2022

Thanks for your help. But I need to use it in tstats command, and it will give error "'tstats' command: Invalid argument: 'earliest=-4h@h'" Do you know any other way. Better it can use in time picker as well.

bowesmana · ‎03-30-2022

Set the time picker to Advanced and set the earliest/latest as needed -4h@h and @h

How to get the last hour of events but also remove any data after last hour

timechart

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life