sachin mirajkar
Reputation: 119
timechart is crating stats which are not part of the search in splunk
I was extracting some volume data for PE testing from prod systems, using following query
I am expecting to get stats from 9AM to 6PM event counts with respect to proxy names. but following code creating stats for entire day please help me to remove these extra data.
Query
index= index_Name environmentName= Env_name clientAppName="App_Name"
| eval eventHour=strftime(_time,"%H")
| where eventHour<18 AND eventHour>=9
| timechart count span=60m by proxyName
result :
| TIme | Proxy1 | proxy2 |
|---|---|---|
| 2022-02-16 06:00 | 0 | 0 |
| 2022-02-16 07:00 | 0 | 0 |
| 2022-02-16 08:00 | 0 | 0 |
| 2022-02-16 09:00 | 27 | 34 |
Upvotes: 0
Views: 600
Answers (1)
RichG
Reputation: 9906
The best way to narrow the time window is by using the earliest and latest options in the search command.
To find the events between 9am and 6pm today:
index= index_Name environmentName= Env_name clientAppName="App_Name" earliest=@d+9h latest=@d+18h
| timechart count span=60m by proxyName
To find the events from yesterday between 9am and 6pm:
index= index_Name environmentName= Env_name clientAppName="App_Name" earliest=-1d@d+9h latest=-1d@d+18h
| timechart count span=60m by proxyName
The @d+9h construct says to go to the beginning of the day and add 9 hours.
Upvotes: 1
Related Questions
- Splunk: How to get two searches in one timechart/graph?
- Splunk: How to get a timechart regarding the extracted _time values for which range() was applied?
- Splunk panel showing graph for a specific time range
- How to Cluster and create a timechart in splunk
- How to add total and percentage column for splunk timechart command
- Splunk time calculation issues
- Display Splunk Timechart in Local Time
- Splunk post-process timecharts display "no results found" in dashboard, but query on its own is fine
- My Splunk Timechart isn't returning any values
- How do I change the timespan in a splunk timechart report?