Assuming my search string includes the "earliest=04/12/2013:07:45:00 latest=04/13/2013:09:45:00" values and I am using "timechart span=60m", the search results will be returned in three buckets (actual events falling into the hourly buckets):
But I would like to only get two 60 minute buckets, 07:45-08:45 and 08:45-09:45.
Is there a way to do so with Advanced Charting and timecharts on v.4.3.3?
Thanks in advanced for the help!
Its the timechart command that does the binning, so no amount of advanced charting voodoo will correct the ranges of data.
The only thing I can think of is something like this :
*
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| eval _time=_time-modifier
| timechart span=1h count by sourcetype
| eval _time=_time+[
search *
| head 1
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| return $modifier
]
This looks at the minimum time for the search, gets the minute, offsets the data by that much so it snaps to the hour cleanly, does the timechart, then corrects the offset.
The subsearch does depend on you setting the earliestTime in the timerangepicker, and not hardcoding it into the main search.
If you're hardcoding it into the main search, everything becomes much simpler, because you might as well just replace "modifier" with minutes*60
I will give that a try and see if it make a difference on how the timechart handles the bucketing.
Its the timechart command that does the binning, so no amount of advanced charting voodoo will correct the ranges of data.
The only thing I can think of is something like this :
*
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| eval _time=_time-modifier
| timechart span=1h count by sourcetype
| eval _time=_time+[
search *
| head 1
| addinfo
| eval modifier=60*tonumber(strftime(info_min_time,"%M"))
| return $modifier
]
This looks at the minimum time for the search, gets the minute, offsets the data by that much so it snaps to the hour cleanly, does the timechart, then corrects the offset.
The subsearch does depend on you setting the earliestTime in the timerangepicker, and not hardcoding it into the main search.
If you're hardcoding it into the main search, everything becomes much simpler, because you might as well just replace "modifier" with minutes*60
3rd bar ? screenshot ?
Ok, it looks like that worked nicely with only one oddity of adding a third bar on the graph but there was no events on it. I will play around with it some more to make sure there is nothing else that is odd.
The 1st * - yes replace it with your search. The 2nd one, no, leave that as is - it just gets the 1st event it can find in order to get the ealiest search time value
Just to make sure I am understanding your example, are you using the two wildcards (*) since I did not provide the search in my question? I can replace both of them with my search string?
Interesting! I'd assume the actual behaviour if you specified a span of 1 hour, which could be interpreted as a wish for 'snap to the hour'.
Same results if you use span=3600s
? Probably, but I'm curious.
/K