topic Re: What is an easy way to display the last 30 days _time in a table? in Splunk Search

What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 03:36:59 GMT

I just wanna display last 30days _time in a table

I am using

Index=_internal earliest=-30d | bucket _time span=1d | Dedup _time | table _time

But it’s taking so much time

Is there any other easy way?

Thank you

Re: What is an easy way to display the last 30 days _time in a table?

wildcats12 — Tue, 29 Sep 2020 19:32:59 GMT

Limiting the fields to just _time and using stats instead of dedup should help:
index=_internal earliest=-30d | fields _time | bucket _time span=1d | stats count by _time | fields - count

Re: What is an easy way to display the last 30 days _time in a table?

niketn — Wed, 16 May 2018 05:17:21 GMT

If you just want to show daily _time in the table you are looking for gentimes command. It is a generating command which starts with a pipe. Please try out and confirm!

| gentimes start=-30 increment=1d

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 05:50:02 GMT

It worked thank you !

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 07:40:10 GMT

But getimes snaps to a day
It doesn’t show today

Re: What is an easy way to display the last 30 days _time in a table?

niketn — Wed, 16 May 2018 08:11:03 GMT

Add end as +1

| gentimes start=-30 end=+1 increment=1d

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 08:15:29 GMT

What I mean is

If I run the query today 3pm
It shd go back to 30days at 3pm

Could u please say these ?

Re: What is an easy way to display the last 30 days _time in a table?

niketn — Wed, 16 May 2018 08:36:51 GMT

Try the following search

| gentimes start=-30 end=+1 increment=1h 
| rename starttime as _time
| timechart count span=1h
| eval _time=strftime(_time,"%Y/%m/%d %H").":00:00"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S")
| eval currentHour=strftime(now(),"%H") 
| eval hourFilter=strftime(_time,"%H")
| where currentHour=hourFilter
| table _time

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 09:49:46 GMT

Thank you very much
I got what I need

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Wed, 16 May 2018 09:57:10 GMT

But still can’t we snap to exact time ?
Like if I run
At 3:33 it shd snap to 30 days back at 3:33

I tried
Increment=1m but it’s not working

Thank you very much
I got what I need but still I wanna learn more about gentimes

Re: What is an easy way to display the last 30 days _time in a table?

niketn — Wed, 16 May 2018 11:19:32 GMT

@akhil4mdev, based on your last request I had used the following to snap to current hour. For minute you would need to make corresponding changes i.e.

| gentimes start=-30 end=+1 increment=1m

If you need Minute as well you would need to add %M and remove a .00 from string time conversion i.e.

| timechart span=1m count
| eval _time=strftime(_time,"%Y/%m/%d %H:%M").":00"

In Order to return only time ranges for current Hour and Minute for each day final change would be

| eval currentHour=strftime(now(),"%H:%M") 
| eval hourFilter=strftime(_time,"%H:%M")
| where currentHour=hourFilter

Final query looks like the following:

| gentimes start=-30 end=+1 increment=1m
| rename starttime as _time
| timechart span=1m count
| eval _time=strftime(_time,"%Y/%m/%d %H:%M").":00"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S")
| eval currentHour=strftime(now(),"%H:%M") 
| eval hourFilter=strftime(_time,"%H:%M")
| where currentHour=hourFilter
| table _time

Please try out and confirm. Do up vote the comments that have helped!

Re: What is an easy way to display the last 30 days _time in a table?

akhil4mdev — Thu, 17 May 2018 22:05:47 GMT

How to up the vote ? And can I follow you in Linkdin please?

Re: What is an easy way to display the last 30 days _time in a table?

niketn — Fri, 18 May 2018 07:02:19 GMT

When you hover over specific comment, you would notice Up Arrow pop-up next to the name which can be clicked to Up Vote.

Splunk Answers also allows you to follow your favorite Splunkter 😉 Also another great place to socialize and get immediate response over chat is to join Splunk related channels on Slack Chat.

Finally, sure... if it helps!