How to use timechart or bucket span to view the re...

anil1219 · ‎09-15-2023

Hi,

I want to use timechart or bucket span to view the result every 30 mins using below query.

Could you please let me know how I can use timechart or bucket span=30m _time here.

index=* handler=traffic <today timerange>
| stats dc(dsid) as today_Traffic
| appendcols
[search index=* handler=traffic <yesterday timerange>
| stats dc(dsid) as Previous_day_Traffic]
| eval delta_traffic = today_Traffic-Previous_day_Traffic

bowesmana · ‎09-17-2023

You can use timechart/timewrap if you want to end up with a timechart dataset which you can plot overlaid on each other

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| timechart span=30m dc(dsid) as traffic
| timewrap 1d
| eval delta=traffic_latest_day - traffic_1day_before

or you can 'move' the previous day values to 'today' for charting purposes, by just adding 86400 (seconds in a day) to yesterday's value (which is what timewrap effectively does).

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| eval d=if(_time>=relative_time(now(), "@d"), "today", "yesterday")
| eval _time=_time + if(d="yesterday", 86400, 0)
| timechart fixedrange=f span=30m dc(dsid) by d
| eval delta=today-yesterday

ITWhisperer · ‎09-15-2023

Try something like this

index=* handler=traffic <today timerange> OR <yesterday timerange>
| eval day=if(_time < relative_time(now(),"@d"), "yesterday", "today")
| timechart span=30m dc(dsid) as traffic by day
| eval delta_traffic = today-yesterday

How to use timechart or bucket span to view the result every 30 mins using below query?

eval

timechart

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector