Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does timewrap require timechart results?

tiimo
Engager
‎05-08-2025 04:27 AM

If you use timewrap without previously using the timechart command, you get a warning "The timewrap command is designed to work on the output of timechart. ".

If the format is correct, it works though.

For example, these two queries give the same output:

| tstats count where index=my_index by _time span=1h
| timewrap 1w
index=my_index
| timechart span=1h count 
| timewrap 1w

 The first query is way faster in this case, but I get the warning mentioned above. (this is not about the tstats command, it is also possible to recreate timechart it with other commands iirc)

The docs say: "You must use the timechart command in the search before you use the timewrap command. " (both SPL and SPL2 docs say this)

Why is this the case though? Beside the docs and the warning, nothing hints towards this being correct, it works...

Am I missing something? If not, is it possible to deactivate the warning?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-08-2025 04:48 AM

timewrap is looking for a hidden field called _span

This should work

| tstats count where index=my_index by _time span=1h
| eval _span=3600
| timewrap 1w

 This should give a warning

index=my_index
| timechart span=1h count 
| fields - _span
| timewrap 1w

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎05-16-2025 09:51 AM

You could also use tstats with prestats=t paramter like

| tstats prestats=t count where index=my_index by _time span=1h
| timechart span=1h count
| timewrap 1w

 https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/Tstats

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-08-2025 04:48 AM

timewrap is looking for a hidden field called _span

This should work

| tstats count where index=my_index by _time span=1h
| eval _span=3600
| timewrap 1w

 This should give a warning

index=my_index
| timechart span=1h count 
| fields - _span
| timewrap 1w
Reply
Solved! Jump to solution

tiimo
Engager
‎05-08-2025 04:54 AM

Huh, thanks, that works. This should be changed or at least clarified in the documentation

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-08-2025 05:06 AM

If all these things were documented, there wouldn't be a need for Answers, Splunk Trust and .conf! 🤣

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...