Splunk Search
Highlighted

Why will timechart not give me hourly updates?

Explorer

I have the following query that shows me that date/time is getting parsed correctly and is now displaying and a regular Splunk time:

client

| table date, hour, _time, epochtime, correct_timestamp, rate
|  eval correct_timestamp = date + " " + hour + ":00:00"  | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
 | eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")

When I try to use the following query to create a timechart with an hourly average of the rate, I get no visualizations. I can easily create a timechart of rate that happens by day. Why can I not get this down to the hour?

client

|  eval correct_timestamp = date + " " + hour + ":00:00"  | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
 | eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
|timechart avg(rate) span=1h
Tags (3)
0 Karma
Highlighted

Re: Why will timechart not give me hourly updates?

SplunkTrust
SplunkTrust

@jamesandy51,

Try using the epoch time in timechart before you convert it to a string using strftime.

i.e.

client 
| eval correct_timestamp = date + " " + hour + ":00:00" 
| eval _time=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| timechart avg(rate) span=1h
Highlighted

Re: Why will timechart not give me hourly updates?

Explorer

This still does not work. It looks like after I run the |timechart command, it reverts _time to the original value before the eval.

Any other ideas?

0 Karma
Highlighted

Re: Why will timechart not give me hourly updates?

Explorer

Your search is slightly incorrect - you're assigning an actual integer to epochtime using strptime, and then using strftime to format/assign it to _time. The field _time should have the epoch value, not the formatted value. This is causing timechart to be confused.

You're on the right track, and Renjith's answer is a correct one.

0 Karma
Highlighted

Re: Why will timechart not give me hourly updates?

Explorer

Got it, I have it working now. Thank you both for the help!!

0 Karma
Highlighted

Re: Why will timechart not give me hourly updates?

SplunkTrust
SplunkTrust

@jamesandy51, if it worked for you, please accept as answer. Thanks

0 Karma