Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"bin=2h time" doesn't split the bucket by every 2 hour.

cheriemilk
Path Finder
‎10-22-2020 12:04 AM

Hi team,

with below query, I can't get expected result with the bins splitted by every 2 hour which I specified by "| bin span=2h TIME"

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| eval TIME=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h TIME

| stats count by TIME SFDC

 

The result I got from above query is below table. As you see, the TIME column, it's not splitted by 2 hour. What's wrong here?

 

bin with 2h.jpg

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2020 01:40 AM

So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2020 12:25 AM

Use _time instead of time for your bin and stats. If you want the time displayed in a particular format, use fieldformat

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h _time

| stats count by _time SFDC
0 Karma
Reply
Solved! Jump to solution

cheriemilk
Path Finder
‎10-22-2020 12:54 AM

Hi @ITWhisperer ,

It works by using _time, but I have another requirement that I want to display the time order in chart descendly, by reverse command , which means latest time and corresponding count are put in left, instead of right.

So with below query, the reverse command doesn't reverse _time actually.  That  why I didn't use _time at first. Any idea?

 

 

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h _time

| stats count by _time SFDC

| chart values(count) by _time SFDC

| reverse

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-22-2020 01:40 AM

So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...