Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to timewrap for today Format

Thulasinathan_M
Communicator
‎09-29-2023 03:43 AM

Hi Splunk Experts,

The timewrap command is using d(24 hr) format, but I'm wondering is it possible to make it Today format.

Ex: If Current time is 10AM, then it's displaying timechart of 12 AM to 10AM (12, 14, 16, 18, 20, 22, 00, 02, 04, 06, 08, 10), but I'm looking for 00 AM to 22 (00, 02, 04, 06, 08, 10, 12, 14, 16, 18, 20, 22).

Any advice would be much appreciated.

 

index="_internal" error
| timechart span=10m count as Counts 
| timewrap d series=exact time_format="%Y-%m-%d"

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-29-2023 01:09 PM

First of all, thanks for introducing me to timewrap😎 (which arrived in Splunk 7).  Back in Splunk 5, I was bugging veterans in this board to help with a clumsy attempt to wrap.

Timechart is governed by a pair of internal, write-only fields info_min_time and info_max_time determined at search time.  All you need to do is to shift search window.

index="_internal" error latest=+1d@d
| timechart span=10m count as Counts 
| timewrap d series=exact time_format="%Y-%m-%d"

Because you are at 10AM now, if your time selector is, say last 7 days, you'll get some weird artifact whereby 10 first hours in the first day is actually cut off.  To rectify, specify - either in selector or in your search that you want to start at the beginning of that first day.  E.g.,

index="_internal" error earliest=-7d@d latest=+1d@d
| timechart span=10m count as Counts 
| timewrap d series=exact time_format="%Y-%m-%d"

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-29-2023 01:09 PM

First of all, thanks for introducing me to timewrap😎 (which arrived in Splunk 7).  Back in Splunk 5, I was bugging veterans in this board to help with a clumsy attempt to wrap.

Timechart is governed by a pair of internal, write-only fields info_min_time and info_max_time determined at search time.  All you need to do is to shift search window.

index="_internal" error latest=+1d@d
| timechart span=10m count as Counts 
| timewrap d series=exact time_format="%Y-%m-%d"

Because you are at 10AM now, if your time selector is, say last 7 days, you'll get some weird artifact whereby 10 first hours in the first day is actually cut off.  To rectify, specify - either in selector or in your search that you want to start at the beginning of that first day.  E.g.,

index="_internal" error earliest=-7d@d latest=+1d@d
| timechart span=10m count as Counts 
| timewrap d series=exact time_format="%Y-%m-%d"

Hope this helps.

Reply
Solved! Jump to solution

Thulasinathan_M
Communicator
‎09-29-2023 09:31 PM

Wow, that's a very useful information. Thanks for explaining @yuanliu. It's working perfectly!!! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...