Solved: timechart - Trying to bucket by 10 minutes - Displ...

TheJagoff · ‎07-19-2017

Hi,

I am doing the following:
index=wineventlog user="*.ad" TaskCategory="Security Group Management" |bucket _time span=10m| timechart count AS EventCount

It is showing a report line for every minute - I would like for it to have a report line for every 10 minutes and I thought that the |bucket _time span=10m would do that.

How can I get this to display results for every 10 minutes?

Thanks in advance

rjthibod · ‎07-19-2017

You need to put the span argument directly in the timechart command. Otherwise, it recalculates a span based on your search period.

New search to try:

index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count AS EventCount

View solution in original post

rjthibod · ‎07-19-2017

You need to put the span argument directly in the timechart command. Otherwise, it recalculates a span based on your search period.

New search to try:

index=wineventlog user="*.ad" TaskCategory="Security Group Management" | timechart span=10m count AS EventCount

timechart - Trying to bucket by 10 minutes - Displaying every minute

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Join the Conversation

timechart - Trying to bucket by 10 minutes - Displaying every minute

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...