Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use timechart or bucket span to view the result every 30 mins using below query?

anil1219
Engager
‎09-15-2023 05:31 PM

Hi,

I want to use timechart or bucket span to view the result every 30 mins using below query.

Could you please let me know how I can use timechart or bucket span=30m _time here.

 

index=* handler=traffic <today timerange>
| stats dc(dsid) as today_Traffic
| appendcols
[search index=* handler=traffic <yesterday timerange>
| stats dc(dsid) as Previous_day_Traffic]
| eval delta_traffic = today_Traffic-Previous_day_Traffic

Labels (2)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-17-2023 05:44 PM

You can use timechart/timewrap if you want to end up with a timechart dataset which you can plot overlaid on each other

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| timechart span=30m dc(dsid) as traffic
| timewrap 1d
| eval delta=traffic_latest_day - traffic_1day_before

or you can 'move' the previous day values to 'today' for charting purposes, by just adding 86400 (seconds in a day) to yesterday's value (which is what timewrap effectively does).

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| eval d=if(_time>=relative_time(now(), "@d"), "today", "yesterday")
| eval _time=_time + if(d="yesterday", 86400, 0)
| timechart fixedrange=f span=30m dc(dsid) by d
| eval delta=today-yesterday

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2023 11:00 PM

Try something like this

index=* handler=traffic <today timerange> OR <yesterday timerange>
| eval day=if(_time < relative_time(now(),"@d"), "yesterday", "today")
| timechart span=30m dc(dsid) as traffic by day
| eval delta_traffic = today-yesterday
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...