Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use timechart or bucket span to view the result every 30 mins using below query?

anil1219
Engager
‎09-15-2023 05:31 PM

Hi,

I want to use timechart or bucket span to view the result every 30 mins using below query.

Could you please let me know how I can use timechart or bucket span=30m _time here.

 

index=* handler=traffic <today timerange>
| stats dc(dsid) as today_Traffic
| appendcols
[search index=* handler=traffic <yesterday timerange>
| stats dc(dsid) as Previous_day_Traffic]
| eval delta_traffic = today_Traffic-Previous_day_Traffic

Labels (2)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-17-2023 05:44 PM

You can use timechart/timewrap if you want to end up with a timechart dataset which you can plot overlaid on each other

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| timechart span=30m dc(dsid) as traffic
| timewrap 1d
| eval delta=traffic_latest_day - traffic_1day_before

or you can 'move' the previous day values to 'today' for charting purposes, by just adding 86400 (seconds in a day) to yesterday's value (which is what timewrap effectively does).

index=* handler=traffic (earliest=-1d@d latest=@d) OR (earliest=@d latest=now)
| eval d=if(_time>=relative_time(now(), "@d"), "today", "yesterday")
| eval _time=_time + if(d="yesterday", 86400, 0)
| timechart fixedrange=f span=30m dc(dsid) by d
| eval delta=today-yesterday

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2023 11:00 PM

Try something like this

index=* handler=traffic <today timerange> OR <yesterday timerange>
| eval day=if(_time < relative_time(now(),"@d"), "yesterday", "today")
| timechart span=30m dc(dsid) as traffic by day
| eval delta_traffic = today-yesterday
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...