Timechart X Axis - Limiting the Time Range Plot

nibinabr · ‎12-16-2014

I'm performing a search and plotting a timechart

index=hello_index sourcetype=hello_sourcetype event_id="001" now="12/16/2014:00:00:00" earliest="-1d@d" latest="+2d@d"| ...... |.....|
..| eval _time=time_stamp_I_calculated|timechart sum(something)

I have a search over 72 hrs because I don't exactly know when the event_id "001" happened. I modified _time so that it contains the timestamps of my interest during my search.

Problem
Timechart plots time on the x axis for the 72 hr window(from 15th Dec to 17th Dec).

Question
Is there a way to plot the Xaxis using time range of my interest (from the min value to the max value of _time) and not the 72 hr window.

tachifelix · ‎12-17-2014

try something like this:

 .....|timechart span=1d cont=f sum(something)

somesoni2 · ‎12-16-2014

See the documentation on the timechart command here and see the option "cont".

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart#Optional_arguments

Its defaults to true and forces timechart to span over the timerange. Making it false or f will trim your chart from min to max value of _time.

nibinabr · ‎12-17-2014

I'm not exactly sure why cont didn't work well for me. I solved this issue by doing a sub search that returns the earliest and latest time and use that as the earliest and latest values for the parent search.

Timechart X Axis - Limiting the Time Range Plot

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?