Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Real time window not working with timechart

marvinlee93
Explorer
‎11-26-2018 06:23 PM

| eval _time=_time+28800 |timechart values(Acc_X_G) as Acc_X values(Acc_Y_G) as Acc_Y values(Acc_Z_G) as Acc_Z

Above is my search code for my timechart. I have set the Auto Refresh Delay to 1s.
However, the timechart only works with All time(real-time) but it fails with the other real time windows. (30s, 1min, 5min, 30min & 1hr)
Also, my data has been time stamped correctly.

Any idea what's the problem here?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-26-2018 10:20 PM

You actually do have severe timestamping problems. I suggest that you install the Meta Woot! (https://splunkbase.splunk.com/app/2949/) and Data Curator (https://splunkbase.splunk.com/app/1848/) apps and go through the screens and fix your timestamping problems. You can hear a bit more about why these are important in my .conf talk here:

https://conf.splunk.com/files/2018/recordings/10-must-have-apps-fn1072.mp4

0 Karma
Reply

woodcock
Esteemed Legend
‎11-26-2018 07:09 PM

If your time is timestamped correctly, then you would not need to do | eval _time = _time+28800.

0 Karma
Reply

marvinlee93
Explorer
‎11-26-2018 08:01 PM

Hi! Thanks for the quick reply! I have added this line because the x-axis(time) on my timechart is lagging by 8 hours. Didn't know that it will affect my real-time search! Is there a way to solve this issue without affecting my real time search window?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...