Splunk Search

## In timechart, over what time interval does a point refer to?

Path Finder

If I have a chart of the form

`timechart span= T max(duration) as MaxLatency`

and a point `(x,y)`, then over what time interval is `y` computed?

`[x-T/2, x+T/2)` , `[x, x+T)` or something else?

Tags (3)
Splunk Employee

Motivator

As @somesoni2 mentions about it being undocumented but here is my shot at it. Bear the long answer 🙂

I think a value `(x,y)` in a time chart should be taken as a `y` value inside the bucket `[x, x+T)` where `x` represents the bucket start time. Hence how to calculate `x` (the starting bucket time of first bucket) is of importance as `T` will always be decided by the span you chose in timechart command. Hence I discuss below.

Remember `x` (if we take it as first bucket's start time so that first bucket becomes `[x, x+T)` ) has to be such that it covers the first event of your data (as per time chosen for search query) as well as such that it can cover all your data (till end time) in buckets of `T` spans.

I took some samples as follows to test how will a timechart divide the buckets when as part of the query it is given search start time (earliest) as `StartInTimePicker` , search end time (latest) as `EndInTimePicker` and a span as `spanInSec` while plotting the timechart . Based on multiple values that I chose here is how it divided and decided the `startBucketTime` and after certain `T` (spansInSec) the `LastBucketTime`

``````StartTimeInTimePicker   EndTimeInTimePicker Span    StartBucketTime     LastBucketTime
2016-11-09 00:29:00   2016-11-09 01:20:00   30m  2016-11-09 00:00:00    2016-11-09 01:00:00
2016-11-09 00:29:00   2016-11-09 01:31:00   30m  2016-11-09 00:00:00    2016-11-09 01:30:00
2016-11-09 00:29:59   2016-11-09 00:59:59   30m     2016-11-09 00:00:00 2016-11-09 00:30:00
2016-11-09 00:29:00   2016-11-09 00:31:00   9s    2016-11-09 00:28:57   2016-11-09 00:30:54
2016-11-09 00:29:00   2016-11-09 00:31:04   9s    2016-11-09 00:28:57   2016-11-09 00:31:03
``````

It is clear from above that most probably ONLY the `earliest` , `latest` and `span` decides how buckets will be divided. Here is the formula below where you can replace the timePicker times (StartInTimePicker, EndInTimePicker) per times of your choice in timepicker and the timechart span of your query (spansInSec) to see if the results show up the way they do in your timechart buckets statistics table.

``````|makeresults
| eval StartInTimePicker="2016-11-09 00:29:00"
| eval EndInTimePicker="2016-11-09 00:31:04"
| eval spansInSec=9
| eval setStartEpoch=strptime(StartInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval setEndEpoch=strptime(EndInTimePicker, "%Y-%m-%d %H:%M:%S")
| eval startBucketTime=strftime((setStartEpoch - (setStartEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| eval endBucketTime=strftime((setEndEpoch - (setEndEpoch % spansInSec)), "%Y-%m-%d %H:%M:%S")
| table StartInTimePicker,EndInTimePicker, spansInSec, startBucketTime, endBucketTime
``````

Span is taken in seconds for understanding, however if you take span in minutes in timechart then fill the `spanInSec` value in above query with equivalent sec values and try yourself.

Once we have `startBucketTime` and `endBucketTime` it should be a simple task to represent `[x, x+T), [x+T, x+T+T), [x+T+T, x+T+T+T) ... [x+(n-1)T, x+nT)` buckets as a loop of interval generation as follows:

``````for( int ii=startBucketTime; ii<=endBucketTime; ii=ii+spanInSec)
print "[ ii, ii+spanInSec)"
``````

This is how I think bucket times are being generated to decide `[x, x+T)`

SplunkTrust

I don't believe it's described anywhere in the documentation, but here is my observation.

The time interval depends upon the span and the timerange for the search. Consider the example `timechart span=10m count` with time range of `last 4 hrs`. What Splunk does is start creating time bucket for every 10 mins from time 0 ( `1970/01/01 00:00`) to latest of the time range ( `now`), the time series will be `1970/01/01 00:00, 1970/01/01 10:00, 1970/01/01 20:00.......2016/11/09 15:30, 2016/11/09 15:40`. Then it selects buckets based on time range, earliest and latest, and selects all buckets which includes the time range, including partial included buckets. So considering current time as `2016/11/09 15:48`, and time range is `from 2016/11/09 11:48 to 2016/11/09 15:48` , the buckets included in time range will be `2016/11/09 11:40, 2016/11/09 11:50, 2016/11/09 12:00.... 2016/11/09 15:30,2016/11/09 15:40`).

Legend

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

#### Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

#### March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

#### Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...