Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Timechart Span problem

jadengoho
Builder
‎07-25-2018 07:52 PM

Hi ,
Question regarding splunk timechart
if i ran the command :

index=_internal earliest=-1@d latest=now()
| timechart span=1h count by host

alt text

it returns data from "2018-07-24 23:00"
but when i set timechart span=1h , it starts "2018-07-25 00:00"

I am expecting Format to be :
_time
"2018-07-25 00:00"
"2018-07-25 03:00"
"2018-07-25 06:00"

Can somebody tell me why does the span command override the time configured?
Also, how can I resolve this problem?

Thanks in advance.

Preview file
57 KB
0 Karma
Reply

KailA
Contributor
‎07-26-2018 07:32 AM

You're right !
It shows you a time that is not in your time range but you will only have the result from your time range.
I'm sure if you run this query :

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=2h count by host

And this one 

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=3h count by host

You will have the same result in the first row.
it just because Splunk has to find a way to display the data with the span you gave.
But I don't know how it works and how to display it the way you want it...

KailA

0 Karma
Reply

Shan
Builder
‎07-25-2018 09:45 PM

@jadengoho

can you please give a try with below query 

index=_internal  earliest=@d latest=now()
| timechart span=2h count,values(_time) as time  by host
0 Karma
Reply

jadengoho
Builder
‎07-26-2018 02:10 AM

Yes that would work on span=(1 AND 2)h
but when you set to 3h above , it will show time that is not included in the time range i set.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...