- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is the timechart command not working properly?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Hope you all are good.
I was working on displaying the number of machines which are active for last one hours and showing a trend increase or decreased based on last hour. I used the below query to get the details.
index=emea-app-lol sourcetype="Vision_Labs"
| dedup machine_name
| timechart cont=false span=1h count
When i'am using this query and giving time range for 2 or 4 hours m getting the results as below:-
_time count
2019-11-28 13:00 10
2019-11-28 14:00 109
when i click on the count of 1 PM, i can see data being displayed for 13:00:00:00 to 13:00:00:00 and same for the 2 PM as well.
In this case the active machine count and trend both are displaying wrong. As when i do stats count than we I can see the accurate count of the data. I have tried to change the Span as well but no luck.
I'm getting the data every 15 minutes and in the below format
11/28/19
2:43:31.000 PM ('15','WPE',1,'BMRNRP','ScanPoint','Tracking','Tracking','2019-11-28 14:43:31')
11/28/19
2:43:31.000 PM ('15','PC02',1,'BMRGLM','ScanPoint','Tracking','Tracking','2019-11-28 14:43:31')
11/28/19
2:43:31.000 PM ('15','Non Manufacturing',1,'BMRR5X','Unknown','Non Manufacturing','Non Manufacturing','2019-11-28 14:43:31')
11/28/19
2:43:31.000 PM ('15','G05',1,'BMRPPK','Generator','Generating','Surfacing','2019-11-28 14:43:31')
Please do let me know if you have any questions.
Thanks in advance...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are doing it inefficiently; try this:
index="emea-app-lol" AND sourcetype="Vision_Labs"
| timechart cont=false span=1h dc(machine_name) AS count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are doing it inefficiently; try this:
index="emea-app-lol" AND sourcetype="Vision_Labs"
| timechart cont=false span=1h dc(machine_name) AS count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @niks987,
you should use as time period full hours, in other words, use @h in your earliest, something like this:
index=emea-app-lol sourcetype="Vision_Labs" earliest=-4h@h
| dedup machine_name
| timechart cont=false span=1h count
In addition, the value ofthe current hour is incomplete by definition, so you could also add latest=@h so you'll have the last 4 full hours.
index=emea-app-lol sourcetype="Vision_Labs" earliest=-4h@h latest=@h
| dedup machine_name
| timechart cont=false span=1h count
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Giuseppe,
Thanks for your reply.
I have already tried earliest one option but still m getting the same result. For other scenarios m able to get the correct data displayed to splunk but for this case m not getting able to display correct data.
Regards,
Nishant
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its weird thought, when m giving same command just for an hour then m getting correct count of active machines.
Index This | What are the 12 Days of Splunk-mas?
Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
