Hi together,
I would need to present count of events generated during period from 6AM at day X until 6AM at day X+1 (and so for each day).
If I simple use:
index=technology_test | timechart span=1d count
I am getting events generated over single day X and not in [6AM to next day 6AM] range.
Any idea how to limit span to hours spread over two consecutive days ?
best regards,
Milan
This definitely does it:
index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)
For Day X = June 5, 2015 your search would be:
index=technology_test earliest=”6/5/2015:06:00:00” latest=”6/6/2015:06:00:00” | timechart span=1d count
This will yield 2 results, not 1: 1 for 6AM-Midnight on the 5th and another from Midnight to 6AM on the 6th.
This definitely does it:
index=technology_test | eval _time=_time - (6*60*60) | bucket _time span=1d | stats count by _time | eval _time=_time + (6*60*60)
I downvoted this post because 😛
@sivasobh
Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. Also, giving a reason as ":P" is inappropriate and unnecessary, and this is not how Splunk community etiquette works in this forum. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.
Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html
You should "Accept" whichever answer is correctest.
try :
index=technology_test earliest=05/01/2015:06:0:0 | timechart per_day(eval( count)) as "count by day" | eval _time=_time + (6*60*60)
or
index=technology_test earliest=05/01/2015:06:0:0 |bucket span=1d _time |stats count as "count by day" by _time | eval _time=_time + (6*60*60)
first option brought error in usage of timechart command (additionally I do not see how to parse day in tho parts after 6AM up tomorrow 6AM ?) and the second suggestion pick up all events for single day, not separating what happened before and what after 6AM. If I would use function per_hour() maybe I could filter only those in 6-24 range, where the second part from 0-6AM next day I have no clue how to filter...any idea ?
it is correct now with the timechart .
th.
Actually, it "looks" correct but it is not; the label has been artificially altered to appear to be from 6AM but the data elements beneath each label is only from 6AM to midnight (it is missing the next 6 hours of the next day). Check out my answer, though; it definitely works.
Is there any option to get official Splunk support as here I could not find right answer
?
in Date & Time Range specify your earliest and latest with date and time, then hit the search.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Selecttimerangestoapply
Hope i will help you.
But I need for each day span from 6AM at day X until 6AM at day X+1 (and so for each day), not just once manually edited. Generally I need chart over days not just single value for just one day.
if u want from yesterday 6AM to today 6AM,then use
earliest=d@d and run the report every day at 6Am using the cron job and render in your dashboard.
My aim ist to have chart over days, not to run manually every day at 6AM. You mention "cron job" I checked right now but I do not have permission for it.
If that is not hard for you could you just provide me with search string which do that without "cron job" ? Unfortunatelly I do not understand with current Splunk knowledge how to do it.