Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart span=60m snaps to hour whereas I want it to snap to minute

nabeel652
Builder
‎01-24-2017 11:27 PM

I'm trying to get hourly averages and compare the last to the previous one. 

...some search | timechart  span=60m avg(SampleValue)

However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nabeel652
Builder
‎01-26-2017 05:12 PM

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nabeel652
Builder
‎01-26-2017 05:12 PM

I was working with timecharts and this worked for me:

| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average

because we have a limitation with timechart that it only works with _time.

0 Karma
Reply
Solved! Jump to solution

rjthibod
Champion
‎01-25-2017 04:27 AM

I don't know of a built-in way of doing what you ask using commands like bucket or bin. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous and filldown to create a timechart with the data

 ... your search ... 
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-25-2017 04:19 AM

what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h to your search.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...