Splunk Search

timechart span over custom period of day

milande
Path Finder

Hi together,

I would need to present count of events generated during period from 6AM at day X until 6AM at day X+1 (and so for each day).
If I simple use:
index=technology_test | timechart span=1d count

I am getting events generated over single day X and not in [6AM to next day 6AM] range.
Any idea how to limit span to hours spread over two consecutive days ?

best regards,
Milan

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

This definitely does it:

 index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)

View solution in original post

jvarmazis_splun
Splunk Employee
Splunk Employee

For Day X = June 5, 2015 your search would be:
index=technology_test earliest=”6/5/2015:06:00:00” latest=”6/6/2015:06:00:00” | timechart span=1d count

0 Karma

woodcock
Esteemed Legend

This will yield 2 results, not 1: 1 for 6AM-Midnight on the 5th and another from Midnight to 6AM on the 6th.

0 Karma

woodcock
Esteemed Legend

This definitely does it:

 index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)

sivasobh
Engager

I downvoted this post because 😛

0 Karma

ppablo
Retired

@sivasobh

Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. Also, giving a reason as ":P" is inappropriate and unnecessary, and this is not how Splunk community etiquette works in this forum. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.

Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

woodcock
Esteemed Legend

You should "Accept" whichever answer is correctest.

fdi01
Motivator

try :

 index=technology_test  earliest=05/01/2015:06:0:0   | timechart per_day(eval( count)) as "count by day" | eval _time=_time + (6*60*60)

or

 index=technology_test  earliest=05/01/2015:06:0:0 |bucket span=1d _time  |stats count as  "count by day"  by _time  | eval _time=_time + (6*60*60)
0 Karma

milande
Path Finder

first option brought error in usage of timechart command (additionally I do not see how to parse day in tho parts after 6AM up tomorrow 6AM ?) and the second suggestion pick up all events for single day, not separating what happened before and what after 6AM. If I would use function per_hour() maybe I could filter only those in 6-24 range, where the second part from 0-6AM next day I have no clue how to filter...any idea ?

fdi01
Motivator

it is correct now with the timechart .
th.

0 Karma

woodcock
Esteemed Legend

Actually, it "looks" correct but it is not; the label has been artificially altered to appear to be from 6AM but the data elements beneath each label is only from 6AM to midnight (it is missing the next 6 hours of the next day). Check out my answer, though; it definitely works.

0 Karma

milande
Path Finder

Is there any option to get official Splunk support as here I could not find right answer
?

0 Karma

neelamssantosh
Contributor

in Date & Time Range specify your earliest and latest with date and time, then hit the search.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Selecttimerangestoapply

Hope i will help you.

0 Karma

milande
Path Finder

But I need for each day span from 6AM at day X until 6AM at day X+1 (and so for each day), not just once manually edited. Generally I need chart over days not just single value for just one day.

0 Karma

neelamssantosh
Contributor

if u want from yesterday 6AM to today 6AM,then use
earliest=d@d and run the report every day at 6Am using the cron job and render in your dashboard.

0 Karma

milande
Path Finder

My aim ist to have chart over days, not to run manually every day at 6AM. You mention "cron job" I checked right now but I do not have permission for it.
If that is not hard for you could you just provide me with search string which do that without "cron job" ? Unfortunatelly I do not understand with current Splunk knowledge how to do it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...