- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: timechart span=60m snaps to hour whereas I wan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to get hourly averages and compare the last to the previous one.
...some search | timechart span=60m avg(SampleValue)
However, this tends to count hourly events starting 00 minutes of every hour up to 59 mins. So if it is 5:01pm now and I have not received any event for SampleValue yet, It will show zero (or null) for this hour. Whereas I want it to start -60 minutes from now so if it 5:23pm now it should calculate an average on 4:24pm to 5:23pm and so on for last 24 hours. currently it seems to calculate 4:00pm to 5:00pm and 5:00pm to 5:23pm (or 6:00pm theoratically). In short it snaps to an hour whereas I want it to snap to a minute at the most...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was working with timecharts and this worked for me:
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average
because we have a limitation with timechart that it only works with _time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was working with timecharts and this worked for me:
| eval _time = _time + (3600 - tonumber(strftime(now(),"%M"))*60) | timechart span=1h avg(SampleValue) as average
because we have a limitation with timechart that it only works with _time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know of a built-in way of doing what you ask using commands like bucket or bin. However, I think I figured out a way to get the value you would want per bucket. Depending on dense your samples are, you could use makecontinuous and filldown to create a timechart with the data
... your search ...
| eventstats min(_time) as start
| eval bin = floor((_time - start)/3600)
| eventstats avg(SampleValue) as average by bin
| fields SampleValue average
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you have your time range set to? I believe span works from the earliest time. I'm pretty sure 'Last 24 hours' snaps to the beginning of the hour. Try adding earliest=-24h to your search.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
