Timechart count between times( (eg 5:00 PM to 5:00...

nilendra1988 · ‎07-13-2018

Hi ,

I am counting events per day for last 60 days between 5:00 PM to 5:00 PM.
I tried using timechart , but seems it didn't worked for me.
as it counting from 00:01 everyday .

Please suggest any options to do so.

Thanks

somesoni2 · ‎07-13-2018

Try like this

your base search
| bucket span=1h _time
| eval _time=relative_time(_time,"-17h")
| rename COMMENT as "Remove this line. Above line change 5PM to 00AM for day level calculation"
| timechart span=1d count
| eval _time=relative_time(_time,"+17h")
| rename COMMENT as "Remove this line. Above line change 00AM to 5PM for restore original values"

thambisetty · ‎07-13-2018

Hi,

Not tested thought, try something like below,

Select time range from -60d 5PM TO TODAY 5PM

| bin _time span=24h
| stats count by _time

————————————
If this helps, give a like below.

nilendra1988 · ‎07-13-2018

I tried that , not working.
2018-05-25 01:00.. it is taking this time for every row .
_time count
2018-05-25 01:00 1
2018-05-26 01:00 3
2018-05-27 01:00 2

Timechart count between times( (eg 5:00 PM to 5:00 PM) of two different day for last 60 days

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!