https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437099#M76236 <P>Yeah simple as that. Should have thought about that, haven't used Splunk in quite a while. Thank you.</P> Wed, 30 Jan 2019 15:24:20 GMT Zakary_n 2019-01-30T15:24:20Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437096#M76233 <P>Hello all,</P> <P>Every 10 seconds, I send a bunch of events to Splunk.<BR /> I need to count how many events I receive every 10 sec but I can't get the real number because of the fact that Splunk doesn't regroup them together if their time is even slightly different.</P> <P>Very simple example : </P> <P>10 : 00 : 10.052 Hello Splunk!<BR /> 10 : 00 : 10.052 Hello Splunk!<BR /> 10 : 00 : 10.054 Hello Splunk!<BR /> 10 : 00 : 10.054 Hello Splunk!</P> <P>10 : 00 : 20.052 Hello Splunk!<BR /> 10 : 00 : 20.052 Hello Splunk!<BR /> 10 : 00 : 20.055 Hello Splunk!</P> <P>Splunk would regroup those events into 4 groups (events at 10.052 , 10.054, 20.052, 20.055) instead of 2 groups (events at 10.50 and at 20.50 for example).</P> <P>For such an example, I would like to get something like : <BR /> 10 : 00 : 10.00 -&gt; 4 Hello Splunk<BR /> 10 : 00 : 20.00 -&gt; 3 Hello Splunk</P> <P>Is there a workaround to that ? </P> <P>Thank you.</P> Wed, 30 Jan 2019 14:32:34 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437096#M76233 Zakary_n 2019-01-30T14:32:34Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437097#M76234 <P>try using timechart with span=10sec</P> <P>i.e. |timechart count span=10s</P> Wed, 30 Jan 2019 14:50:25 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437097#M76234 vishaltaneja070 2019-01-30T14:50:25Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437098#M76235 <P>Completly forgot about timechart omg! Thank you, doing it atm</P> Wed, 30 Jan 2019 14:59:32 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437098#M76235 Zakary_n 2019-01-30T14:59:32Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437099#M76236 <P>Yeah simple as that. Should have thought about that, haven't used Splunk in quite a while. Thank you.</P> Wed, 30 Jan 2019 15:24:20 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437099#M76236 Zakary_n 2019-01-30T15:24:20Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437100#M76237 <P>See vishaltaneja07011993's answer.</P> Wed, 30 Jan 2019 15:26:03 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437100#M76237 Zakary_n 2019-01-30T15:26:03Z https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437101#M76238 <P>@Zakary_n</P> <P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 31 Jan 2019 05:52:50 GMT https://community.splunk.com/t5/Getting-Data-In/Regroup-Splunk-events-with-almost-similar-time/m-p/437101#M76238 vishaltaneja070 2019-01-31T05:52:50Z