Re: Timechart Span problem

jadengoho · ‎07-25-2018

Hi ,
Question regarding splunk timechart
if i ran the command :

index=_internal earliest=-1@d latest=now()
| timechart span=1h count by host

it returns data from "2018-07-24 23:00"
but when i set timechart span=1h , it starts "2018-07-25 00:00"

I am expecting Format to be :
_time
"2018-07-25 00:00"
"2018-07-25 03:00"
"2018-07-25 06:00"

Can somebody tell me why does the span command override the time configured?
Also, how can I resolve this problem?

Thanks in advance.

KailA · ‎07-26-2018

You're right !
It shows you a time that is not in your time range but you will only have the result from your time range.
I'm sure if you run this query :

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=2h count by host

And this one

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=3h count by host

You will have the same result in the first row.
it just because Splunk has to find a way to display the data with the span you gave.
But I don't know how it works and how to display it the way you want it...

KailA

Shan · ‎07-25-2018

@jadengoho

can you please give a try with below query

index=_internal  earliest=@d latest=now()
| timechart span=2h count,values(_time) as time  by host

jadengoho · ‎07-26-2018

Yes that would work on span=(1 AND 2)h
but when you set to 3h above , it will show time that is not included in the time range i set.

Timechart Span problem

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation