Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Real time window not working with timechart

marvinlee93
Explorer
‎11-26-2018 06:23 PM

| eval _time=_time+28800 |timechart values(Acc_X_G) as Acc_X values(Acc_Y_G) as Acc_Y values(Acc_Z_G) as Acc_Z

Above is my search code for my timechart. I have set the Auto Refresh Delay to 1s.
However, the timechart only works with All time(real-time) but it fails with the other real time windows. (30s, 1min, 5min, 30min & 1hr)
Also, my data has been time stamped correctly.

Any idea what's the problem here?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-26-2018 10:20 PM

You actually do have severe timestamping problems. I suggest that you install the Meta Woot! (https://splunkbase.splunk.com/app/2949/) and Data Curator (https://splunkbase.splunk.com/app/1848/) apps and go through the screens and fix your timestamping problems. You can hear a bit more about why these are important in my .conf talk here:

https://conf.splunk.com/files/2018/recordings/10-must-have-apps-fn1072.mp4

0 Karma
Reply

woodcock
Esteemed Legend
‎11-26-2018 07:09 PM

If your time is timestamped correctly, then you would not need to do | eval _time = _time+28800.

0 Karma
Reply

marvinlee93
Explorer
‎11-26-2018 08:01 PM

Hi! Thanks for the quick reply! I have added this line because the x-axis(time) on my timechart is lagging by 8 hours. Didn't know that it will affect my real-time search! Is there a way to solve this issue without affecting my real time search window?

0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...