Hi all,
I am a relatively new user of splunk, so do be patient with me if you think that my questions had been answered before.
Background:
I'm trying to count for events using a timechart but i currently facing a problem in setting a range for the x-axis in the timechart.
I have tried to look for solutions but I think that could not find anything that is similar to mine.
Question:
How do I set the x-axis for the timechart? I tried to run the following query and it does not limit the x-axis range.
index = ["something"] [search for IP address] | timechart span=1hr count by date.
The corresponding results will be
17-02-2017 | 18-02-2017 | 19-02-2017 | 20-02-2017
2017-02-17 06:00
....
2017-02-17 23:00
2017-02-18 00:00
....
2017-02-18 23:00
Is there a command where I can set the X-axis range of timechart to explicitly display from 0600hrs to 2300 without the time chart column going to the next day?
Thank you for your time in looking into my situation
Try like this. This will remove all the results where are before 6AM and after 11PM. The x-axis will adjust accordingly.
index = ["something"] [search for IP address] | timechart span=1hr count by date | where strftime(_time,"%H")>=6 AND strftime(_time,"%H")<23
Try this -
index = ["something"] [search for IP address]
| eval myHour = strftime(_time,"%H:%M:%S")
| where myHour>="06:00:00" AND myHour <"23:00:00"
| timechart span=1hr count
What are you trying to achieve?
If you are trying to only count events that occur between certain hours, across a number of days, then you need to filter that before you feed it into the timechart
command.
Also, span=1hr
and count by date
make no sense at all together.
if you are just looking for one day, add earliest=-1d@d latest=@d
to the beginning of your search