Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart - span=30m show data in 15th and 45th min

askkawalkar
Path Finder
‎06-18-2019 12:02 AM

I am trying to create a timechart
base search ...
| timechart span=30m latest(COUNT) as COUNT by NAME

it is providing me events for field "_time" as : "12:00", "12:30", "01:00", "01:30" .. and so on..

I want field "_time" as : "12:15", "12:45", "01:15", "1:45" ... and so on...

Is there any solution to convert _time.

Thanks in advance.

Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎06-18-2019 05:21 AM

Hello @askkawalkar,

This query worked for me. Instead of timechart use below list of evals, stat and chart to achieve your requirement.

<your query>
| bin _time span=15m 
| stats latest(COUNT) as COUNT by _time, NAME
| eval _time=_time/100 
| eval _time=if(_time%2==0,_time-9,_time) 
| eval _time=_time*100 
| chart last(COUNT) as COUNT over _time by NAME

View solution in original post

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-21-2019 06:03 AM

here is another way of achieving your goal with the aligntime attribute:
read here:
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Bin#Bin_options

run this search anywhere:

| gentimes start=-2 increment=1m
| eval _time = starttime 
| eval number = random()%200
| bin _time span=30m aligntime=@d+15m
| timechart max(number) as max_number

hope it helps

0 Karma
Reply
Solved! Jump to solution

askkawalkar
Path Finder
‎06-21-2019 07:42 AM

Hi @adonio ,

Thanks for your help in search anywhere.

Thanks,
Ankush

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
Super Champion
‎06-21-2019 12:14 AM

@askkawalkar - Did you get chance to check answer?

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎06-18-2019 05:21 AM

Hello @askkawalkar,

This query worked for me. Instead of timechart use below list of evals, stat and chart to achieve your requirement.

<your query>
| bin _time span=15m 
| stats latest(COUNT) as COUNT by _time, NAME
| eval _time=_time/100 
| eval _time=if(_time%2==0,_time-9,_time) 
| eval _time=_time*100 
| chart last(COUNT) as COUNT over _time by NAME
0 Karma
Reply
Solved! Jump to solution

askkawalkar
Path Finder
‎06-21-2019 07:36 AM

Hi @VatsalJagani ,

Thanks for your quick help. This solution worked for me.

Below is the run anywhere query (@adonio: thanks for providing run anywhere search)

| gentimes start=-2 increment=30m
 | eval _time = starttime 
 | eval number = random()%200
| bin _time span=15m 
 | stats latest(number) as COUNT by _time
 | eval _time=_time/100 
 | eval _time=if(_time%2==0,_time-9,_time) 
 | eval _time=_time*100 
 | chart last(COUNT) as COUNT over _time

Regards,
Ankush

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...