Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart hour span for one week isn't showing breakdown

Scottindc
Explorer
‎03-29-2013 07:20 AM

It's showing all the hours for each day but groups all activity at midnight of each day instead of through the day. This is my output query -

| timechart span=1hour count by PlatformName limit=50

How do I get the breakdown for each hour in the day to show?

alt text

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎04-01-2013 11:14 AM

If you've configured the saved search populating the summary index to run only once a day, (and the rows you're sending into the summary index don't have _time values), then the summary will only ever have events at midnight on each day, and that will be your problem here.

it's important when setting up summary indexing to use a time interval that will be able to give you the granularity that you need.

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Usesummaryindexing

Excerpt from that page: "Remember that searches that populate summary indexes should run on a fairly frequent basis in order to create statistically accurate final reports. If the search you're running against the summary index is gathering information for the past week, you should have the summary search run on an hourly basis, collecting information for each hour. If you're running searches over the past year's worth of data, you might have the summary index collect data on a daily basis for the past day."

If you're running the summary index search at midnight because the system is generally underutilized then, and say your search was like ... | stats count by username, then there's another way to up the granularity of summary data from one day to one hour, by changing the search to this:

... | bin _time span="1h" | stats count by username, _time

Even if you only run that once a day, the rows it's sending into the summary index have a _time field, and unless you've spceially configured your SI config, it'll use that _time field when it creates the new rows, meaning that you can have 1-hour granularity on your timecharts later.

Reply

Scottindc
Explorer
‎03-29-2013 09:55 AM

What's the best way to fix this?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-29-2013 08:03 AM

I guess your summary index only contains events from just after midnight then.

0 Karma
Reply

Scottindc
Explorer
‎03-29-2013 07:49 AM

Pardon, I'm very new to Splunk. This is the full query -

index="summary" search_name="si_http_programID_platform_format" earliest="-7day@day" latest="-0day@day" | timechart span=1hour count by PlatformName limit=50

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-29-2013 07:42 AM

What's the full query? Also, make sure your timestamps are parsed correctly.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...