Re: Timechart Span problem

jadengoho · ‎07-25-2018

Hi ,
Question regarding splunk timechart
if i ran the command :

index=_internal earliest=-1@d latest=now()
| timechart span=1h count by host

it returns data from "2018-07-24 23:00"
but when i set timechart span=1h , it starts "2018-07-25 00:00"

I am expecting Format to be :
_time
"2018-07-25 00:00"
"2018-07-25 03:00"
"2018-07-25 06:00"

Can somebody tell me why does the span command override the time configured?
Also, how can I resolve this problem?

Thanks in advance.

KailA · ‎07-26-2018

You're right !
It shows you a time that is not in your time range but you will only have the result from your time range.
I'm sure if you run this query :

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=2h count by host

And this one

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=3h count by host

You will have the same result in the first row.
it just because Splunk has to find a way to display the data with the span you gave.
But I don't know how it works and how to display it the way you want it...

KailA

Shan · ‎07-25-2018

@jadengoho

can you please give a try with below query

index=_internal  earliest=@d latest=now()
| timechart span=2h count,values(_time) as time  by host

jadengoho · ‎07-26-2018

Yes that would work on span=(1 AND 2)h
but when you set to 3h above , it will show time that is not included in the time range i set.

Timechart Span problem

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation