Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart span=60m snaps to hour whereas I want it to snap to minute

nabeel652
Builder
‎01-24-2017 11:27 PM

I'm trying to get hourly averages and compare the last to the previous one. 

...some search | timechart  span=60m avg(SampleValue)

However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nabeel652
Builder
‎01-26-2017 05:12 PM

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nabeel652
Builder
‎01-26-2017 05:12 PM

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-25-2017 04:27 AM

I don't know of a built-in way of doing what you ask using commands like bucket or bin. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous and filldown to create a timechart with the data

 ... your search ... 
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-25-2017 04:19 AM

what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h to your search.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...