Splunk Search

Question about timechart with odd earliest and latest values

eandresen
Path Finder

Assuming my search string includes the "earliest=04/12/2013:07:45:00 latest=04/13/2013:09:45:00" values and I am using "timechart span=60m", the search results will be returned in three buckets (actual events falling into the hourly buckets):

  • 07:00 (07:45-08:00)
  • 08:00 (08:00-09:00)
  • 09:00 (09:00-09:45)

But I would like to only get two 60 minute buckets, 07:45-08:45 and 08:45-09:45.

Is there a way to do so with Advanced Charting and timecharts on v.4.3.3?

Thanks in advanced for the help!

1 Solution

jonuwz
Influencer

Its the timechart command that does the binning, so no amount of advanced charting voodoo will correct the ranges of data.

The only thing I can think of is something like this :

*
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| eval _time=_time-modifier
| timechart span=1h count by sourcetype
| eval _time=_time+[ 
  search * 
  | head 1
  | addinfo
  | eval modifier=60*tonumber(strftime(info_min_time,"%M"))
  | return $modifier
]

This looks at the minimum time for the search, gets the minute, offsets the data by that much so it snaps to the hour cleanly, does the timechart, then corrects the offset.

The subsearch does depend on you setting the earliestTime in the timerangepicker, and not hardcoding it into the main search.

If you're hardcoding it into the main search, everything becomes much simpler, because you might as well just replace "modifier" with minutes*60

View solution in original post

eandresen
Path Finder

I will give that a try and see if it make a difference on how the timechart handles the bucketing.

0 Karma

jonuwz
Influencer

Its the timechart command that does the binning, so no amount of advanced charting voodoo will correct the ranges of data.

The only thing I can think of is something like this :

*
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| eval _time=_time-modifier
| timechart span=1h count by sourcetype
| eval _time=_time+[ 
  search * 
  | head 1
  | addinfo
  | eval modifier=60*tonumber(strftime(info_min_time,"%M"))
  | return $modifier
]

This looks at the minimum time for the search, gets the minute, offsets the data by that much so it snaps to the hour cleanly, does the timechart, then corrects the offset.

The subsearch does depend on you setting the earliestTime in the timerangepicker, and not hardcoding it into the main search.

If you're hardcoding it into the main search, everything becomes much simpler, because you might as well just replace "modifier" with minutes*60

jonuwz
Influencer

3rd bar ? screenshot ?

0 Karma

eandresen
Path Finder

Ok, it looks like that worked nicely with only one oddity of adding a third bar on the graph but there was no events on it. I will play around with it some more to make sure there is nothing else that is odd.

0 Karma

jonuwz
Influencer

The 1st * - yes replace it with your search. The 2nd one, no, leave that as is - it just gets the 1st event it can find in order to get the ealiest search time value

0 Karma

eandresen
Path Finder

Just to make sure I am understanding your example, are you using the two wildcards (*) since I did not provide the search in my question? I can replace both of them with my search string?

0 Karma

kristian_kolb
Ultra Champion

Interesting! I'd assume the actual behaviour if you specified a span of 1 hour, which could be interpreted as a wish for 'snap to the hour'.

Same results if you use span=3600s? Probably, but I'm curious.

/K

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...