Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart Span problem

jadengoho
Builder
‎07-25-2018 07:52 PM

Hi ,
Question regarding splunk timechart
if i ran the command :

index=_internal earliest=-1@d latest=now()
| timechart span=1h count by host

alt text

it returns data from "2018-07-24 23:00"
but when i set timechart span=1h , it starts "2018-07-25 00:00"

I am expecting Format to be :
_time
"2018-07-25 00:00"
"2018-07-25 03:00"
"2018-07-25 06:00"

Can somebody tell me why does the span command override the time configured?
Also, how can I resolve this problem?

Thanks in advance.

Preview file
57 KB
0 Karma
Reply

KailA
Contributor
‎07-26-2018 07:32 AM

You're right !
It shows you a time that is not in your time range but you will only have the result from your time range.
I'm sure if you run this query :

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=2h count by host

And this one 

index=_internal earliest=-2d@d latest=-1d@d
 | timechart span=3h count by host

You will have the same result in the first row.
it just because Splunk has to find a way to display the data with the span you gave.
But I don't know how it works and how to display it the way you want it...

KailA

0 Karma
Reply

Shan
Builder
‎07-25-2018 09:45 PM

@jadengoho

can you please give a try with below query 

index=_internal  earliest=@d latest=now()
| timechart span=2h count,values(_time) as time  by host
0 Karma
Reply

jadengoho
Builder
‎07-26-2018 02:10 AM

Yes that would work on span=(1 AND 2)h
but when you set to 3h above , it will show time that is not included in the time range i set.

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...