Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

problem with span command in splunk 7.2

09128028400
Engager
‎12-14-2021 12:23 AM

Hello every body
I have been struggling with a serious problem recently 
my splunk version is 7.2 
when I use  span Command (with tstats or bin ) , it starts from half hour ! instead of hour
for example :
| tstats count as count from datamodel=Log where Log.FinalStatus!=61  by  _time span=1h


I have picture below as result , while I want time sections like 10 , 11, 12 ...

09128028400_0-1639469153967.png

 

what should I do ??
Thank you

Labels (1)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 04:27 AM

Does something like this work for you?

| tstats count as count from datamodel=Log where Log.FinalStatus!=61  by  _time span=30m
| eval _time=_time-30*60
| bin _time span=1h
| eval _time=_time+30*60
| stats sum(count) as count by _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 01:36 AM

Which timezone are you in?

0 Karma
Reply
Solved! Jump to solution

09128028400
Engager
‎12-14-2021 04:21 AM

Hi 
+3:30

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 04:27 AM

Does something like this work for you?

| tstats count as count from datamodel=Log where Log.FinalStatus!=61  by  _time span=30m
| eval _time=_time-30*60
| bin _time span=1h
| eval _time=_time+30*60
| stats sum(count) as count by _time
0 Karma
Reply
Solved! Jump to solution

09128028400
Engager
‎12-14-2021 05:05 AM

It works 🙂
thank you 🙂
but do you know any solution to resolve this problem ? 
I mean , every time this sections starts from hour , not half hour  

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-14-2021 05:16 AM

_time is usually stored as number of second since start of epoch in utc - all span does is that the time value back to the start of the current time bucket (still in utc). When you display the time it is local format, hence the half hour boundary differences in your case. You could try displaying your times in utc or potentially make the adjustment when the events are indexed or petition your government to change their time zone settings so they align with hours rather than half past or move 😀

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-14-2021 05:11 AM
Internally Splunk is using UTC time and you have shift from it 3,5h which is used when splunk shows times.
Probably the best option is ask from splunk support if there haven't been any Indians who can help you (if I recall right at least Pune has this timezone)?
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...