Splunk Search

timechart span over custom period of day

milande
Path Finder

Hi together,

I would need to present count of events generated during period from 6AM at day X until 6AM at day X+1 (and so for each day).
If I simple use:
index=technology_test | timechart span=1d count

I am getting events generated over single day X and not in [6AM to next day 6AM] range.
Any idea how to limit span to hours spread over two consecutive days ?

best regards,
Milan

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

This definitely does it:

 index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)

View solution in original post

jvarmazis_splun
Splunk Employee
Splunk Employee

For Day X = June 5, 2015 your search would be:
index=technology_test earliest=”6/5/2015:06:00:00” latest=”6/6/2015:06:00:00” | timechart span=1d count

0 Karma

woodcock
Esteemed Legend

This will yield 2 results, not 1: 1 for 6AM-Midnight on the 5th and another from Midnight to 6AM on the 6th.

0 Karma

woodcock
Esteemed Legend

This definitely does it:

 index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)

View solution in original post

sivasobh
Engager

I downvoted this post because 😛

0 Karma

ppablo
Community Manager
Community Manager

@sivasobh

Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. Also, giving a reason as ":P" is inappropriate and unnecessary, and this is not how Splunk community etiquette works in this forum. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.

Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

woodcock
Esteemed Legend

You should "Accept" whichever answer is correctest.

fdi01
Motivator

try :

 index=technology_test  earliest=05/01/2015:06:0:0   | timechart per_day(eval( count)) as "count by day" | eval _time=_time + (6*60*60)

or

 index=technology_test  earliest=05/01/2015:06:0:0 |bucket span=1d _time  |stats count as  "count by day"  by _time  | eval _time=_time + (6*60*60)
0 Karma

milande
Path Finder

first option brought error in usage of timechart command (additionally I do not see how to parse day in tho parts after 6AM up tomorrow 6AM ?) and the second suggestion pick up all events for single day, not separating what happened before and what after 6AM. If I would use function per_hour() maybe I could filter only those in 6-24 range, where the second part from 0-6AM next day I have no clue how to filter...any idea ?

fdi01
Motivator

it is correct now with the timechart .
th.

0 Karma

woodcock
Esteemed Legend

Actually, it "looks" correct but it is not; the label has been artificially altered to appear to be from 6AM but the data elements beneath each label is only from 6AM to midnight (it is missing the next 6 hours of the next day). Check out my answer, though; it definitely works.

0 Karma

milande
Path Finder

Is there any option to get official Splunk support as here I could not find right answer
?

0 Karma

neelamssantosh
Contributor

in Date & Time Range specify your earliest and latest with date and time, then hit the search.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Selecttimerangestoapply

Hope i will help you.

0 Karma

milande
Path Finder

But I need for each day span from 6AM at day X until 6AM at day X+1 (and so for each day), not just once manually edited. Generally I need chart over days not just single value for just one day.

0 Karma

neelamssantosh
Contributor

if u want from yesterday 6AM to today 6AM,then use
earliest=d@d and run the report every day at 6Am using the cron job and render in your dashboard.

0 Karma

milande
Path Finder

My aim ist to have chart over days, not to run manually every day at 6AM. You mention "cron job" I checked right now but I do not have permission for it.
If that is not hard for you could you just provide me with search string which do that without "cron job" ? Unfortunatelly I do not understand with current Splunk knowledge how to do it.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!