https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411779#M14755 <P>Hello,<BR /> I need to get the daily Events count per week. till this I did using Query</P> <PRE><CODE>index = * myBaseQuery |bucket _time span=day |stats count by _time | sort -count </CODE></PRE> <P>But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate</P> <PRE><CODE>| eval relDate=relative_time(initialDate, "-1d@d") | eval finalRelDate =strftime(relDate, "%F") </CODE></PRE> <P>My query is, <STRONG>I have to bucket the results(event count) based on finalRelDate</STRONG>, which I am not getting.</P> <P>Can anybody help on this!!<BR /> Thank you.</P> Mon, 10 Jun 2019 14:18:01 GMT saitejagayala 2019-06-10T14:18:01Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411779#M14755 <P>Hello,<BR /> I need to get the daily Events count per week. till this I did using Query</P> <PRE><CODE>index = * myBaseQuery |bucket _time span=day |stats count by _time | sort -count </CODE></PRE> <P>But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate</P> <PRE><CODE>| eval relDate=relative_time(initialDate, "-1d@d") | eval finalRelDate =strftime(relDate, "%F") </CODE></PRE> <P>My query is, <STRONG>I have to bucket the results(event count) based on finalRelDate</STRONG>, which I am not getting.</P> <P>Can anybody help on this!!<BR /> Thank you.</P> Mon, 10 Jun 2019 14:18:01 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411779#M14755 saitejagayala 2019-06-10T14:18:01Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411780#M14756 <P>You can run your bucket and stats on relDate (while it's in epoch format).</P> <PRE><CODE>index = * myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count </CODE></PRE> Mon, 10 Jun 2019 14:50:23 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411780#M14756 somesoni2 2019-06-10T14:50:23Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411781#M14757 <P>@saitejagayala Did you try assigning finalRelDate to _time?<BR /> before bucket command try adding eval _time=finalRelDate</P> Mon, 10 Jun 2019 14:51:43 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411781#M14757 Vijeta 2019-06-10T14:51:43Z https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411782#M14758 <P>Aren't you looking for using the time modifiers something like - <BR /> earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count</P> <P>Let me know if there is more to you ques and I havent got it . </P> Mon, 10 Jun 2019 14:54:13 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-get-events-count-by-day-with-relative-difference-in-time/m-p/411782#M14758 amitm05 2019-06-10T14:54:13Z