Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

tstat hourly time span without snapping to hour, relative to start of absolute time range instead

akarollil
Explorer
‎03-10-2021 08:53 AM

Hello,

I am trying to collect stats per hour using a data model for a absolute time range that starts 30 minutes past the hour. The query looks something like:

|tstats count, sum(X), sum(Y) FROM datamodel=ZModel BY _time span=1h

I choose a time range using the Date & Time Range picker, but the range starts at 30 minutes past the hour. So say something like Jan 1 16:30 to Jan 2 16:30. The problem I have is that the time 'buckets' in the result snap to the hour, and so the hourly ranges are like 16:00 - 17:00, 17:00 - 18:00 and so forth rather than 16:30 - 17:30, 17:30 - 18:30 and so forth.

Is there anyway to make the time buckets start off relative to the start time specified rather than snap to the hour? I tried using earliest= latest= instead of using the Date & Time Range picker, but that didn't help either.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-13-2021 02:30 AM

Hi @akarollil,

tstats command cannot do it but you can achieve by using timechart command.

Please try below;

| tstats count, sum(X) as X , sum(Y) as Y FROM datamodel=ZModel BY _time span=30m 
| timechart span=1h aligntime=@h+30m sum(count) sum(X) sum(Y)
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-15-2021 08:33 AM

You're welcome @akarollil

Please accept the answer for community.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-13-2021 02:30 AM

Hi @akarollil,

tstats command cannot do it but you can achieve by using timechart command.

Please try below;

| tstats count, sum(X) as X , sum(Y) as Y FROM datamodel=ZModel BY _time span=30m 
| timechart span=1h aligntime=@h+30m sum(count) sum(X) sum(Y)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

akarollil
Explorer
‎03-15-2021 08:17 AM

Thanks a lot @scelikok ! That worked. I think I had seen aligntime but couldn't figure out how to use it with tstats or timechart

0 Karma
Reply
Solved! Jump to solution

akarollil
Explorer
‎03-12-2021 09:20 AM

Somebody? Anybody?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...