Splunk Search

Why is the timechart command not working properly?

niks987
Explorer

Hi All,

Hope you all are good.

I was working on displaying the number of machines which are active for last one hours and showing a trend increase or decreased based on last hour. I used the below query to get the details.

index=emea-app-lol sourcetype="Vision_Labs"
| dedup machine_name
| timechart cont=false span=1h count

When i'am using this query and giving time range for 2 or 4 hours m getting the results as below:-

_time count
2019-11-28 13:00 10
2019-11-28 14:00 109

when i click on the count of 1 PM, i can see data being displayed for 13:00:00:00 to 13:00:00:00 and same for the 2 PM as well.
In this case the active machine count and trend both are displaying wrong. As when i do stats count than we I can see the accurate count of the data. I have tried to change the Span as well but no luck.

I'm getting the data every 15 minutes and in the below format
11/28/19
2:43:31.000 PM ('15','WPE',1,'BMRNRP','ScanPoint','Tracking','Tracking','2019-11-28 14:43:31')

11/28/19
2:43:31.000 PM ('15','PC02',1,'BMRGLM','ScanPoint','Tracking','Tracking','2019-11-28 14:43:31')

11/28/19
2:43:31.000 PM ('15','Non Manufacturing',1,'BMRR5X','Unknown','Non Manufacturing','Non Manufacturing','2019-11-28 14:43:31')

11/28/19
2:43:31.000 PM ('15','G05',1,'BMRPPK','Generator','Generating','Surfacing','2019-11-28 14:43:31')

Please do let me know if you have any questions.

Thanks in advance...

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You are doing it inefficiently; try this:

index="emea-app-lol" AND sourcetype="Vision_Labs"
| timechart cont=false span=1h dc(machine_name) AS count

View solution in original post

0 Karma

woodcock
Esteemed Legend

You are doing it inefficiently; try this:

index="emea-app-lol" AND sourcetype="Vision_Labs"
| timechart cont=false span=1h dc(machine_name) AS count
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @niks987,
you should use as time period full hours, in other words, use @h in your earliest, something like this:

index=emea-app-lol sourcetype="Vision_Labs" earliest=-4h@h
| dedup machine_name
| timechart cont=false span=1h count

In addition, the value ofthe current hour is incomplete by definition, so you could also add latest=@h so you'll have the last 4 full hours.

index=emea-app-lol sourcetype="Vision_Labs" earliest=-4h@h latest=@h
| dedup machine_name
| timechart cont=false span=1h count

Ciao.
Giuseppe

0 Karma

niks987
Explorer

HI Giuseppe,

Thanks for your reply.

I have already tried earliest one option but still m getting the same result. For other scenarios m able to get the correct data displayed to splunk but for this case m not getting able to display correct data.

Regards,
Nishant

0 Karma

niks987
Explorer

Its weird thought, when m giving same command just for an hour then m getting correct count of active machines.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...