https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363927#M107439 <P>Exactly what I was looking for, thanks for your help.</P> Mon, 19 Mar 2018 16:57:43 GMT bomran 2018-03-19T16:57:43Z https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363925#M107437 <P>I have some CSV data about files imported in to Splunk. The data looks like this:</P> <PRE><CODE>"\\domain\path\to\file\","&lt;filename&gt;","&lt;fsize&gt;","&lt;ext&gt;","&lt;Last_access&gt;","&lt;last_write&gt;","&lt;creation_time&gt;","&lt;attributes&gt;","&lt;owner&gt;" </CODE></PRE> <P>I have converted all the date strings to epoch using:</P> <PRE><CODE>| eval epoch_LastAccessTime=strptime(LastAccessTime, "%d/%m/%Y %H:%M:%S") ... ... </CODE></PRE> <P>I want to get:</P> <UL> <LI>A percentage of files last accessed between 6 months and 3 years ago</LI> <LI>A percentage of files last accessed 3 years or more ago.</LI> </UL> <P>This is the search query that I have tried before getting stuck:</P> <PRE><CODE>index="&lt;my_index&gt;" sourcetype="&lt;my_sourcetype&gt;" | rex field=DirectoryName "\\\domain\.org\\\teams\\\(?&lt;Team&gt;[^\\\]*)" offset_field=_extracted_fields_bounds | eval epoch_LastAccessTime=strptime(LastAccessTime, "%d/%m/%Y %H:%M:%S") | eval _time=epoch_LastAccessTime | timechart span=6mon count </CODE></PRE> <P>I've tried using commands along the lines of:</P> <PRE><CODE>| where epoch_LastAccessTime&gt;=three_year_ago_from_now AND epoch_LastAccessTime&lt;=six_months_ago_from_now </CODE></PRE> <P>However, this excludes everything else (3y+)</P> <P>I want the result to look something like:</P> <PRE><CODE>TimeRange Perc 6m-3y 60% 3y+ 40% </CODE></PRE> Mon, 19 Mar 2018 15:55:20 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363925#M107437 bomran 2018-03-19T15:55:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363926#M107438 <P>Your nearly on the right track. Instead of using a <CODE>where</CODE> to limit your results, use an <CODE>eval</CODE> to build a new categorical field. At that point you'll no longer need the timechart.</P> <P>Something like:</P> <PRE><CODE>| eval TimeRange=case(epoch_LastAccessTime&gt;=three_year_ago_from_now, "3y+", epoch_LastAccessTime&gt;=six_months_ago_from_now, "6m-3y", 0=0, "less than 6m") | stats count by TimeRange | eventstats sum(count) as total_count | eval pct=100*count/total_count </CODE></PRE> <P>Note "0=0" is used to provide a "default" option, since it's always true.</P> Mon, 19 Mar 2018 16:07:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363926#M107438 Lowell 2018-03-19T16:07:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363927#M107439 <P>Exactly what I was looking for, thanks for your help.</P> Mon, 19 Mar 2018 16:57:43 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-conditional-count-aggregation/m-p/363927#M107439 bomran 2018-03-19T16:57:43Z