topic Re: How to count the number of eventts starting at 9 am each day? in Splunk Search

How to count the number of eventts starting at 9 am each day?

auaave — Thu, 04 Jan 2018 03:51:09 GMT

Hi Guys,

I have the below query using that is using the shared timepicker: today, which is counting the events from 00:00 to 23:59.
How can I make it to start count the events from 9:00 to 23:59?

| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Thanks a lot!

Re: How to count the number of eventts starting at 9 am each day?

micahkemp — Tue, 29 Sep 2020 17:29:08 GMT

I'm not sure your search in the example makes sense as-is, but perhaps that's due to it being altered for the question. Assuming it's valid, and you want to only include hours after 9am, try this:

<your search> date_hour>=9
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Splunk parses out the timestamp components (date_month, date_mday, date_hour, etc) for each event, so these fields are available to be a part of your base search.

Re: How to count the number of eventts starting at 9 am each day?

mayurr98 — Thu, 04 Jan 2018 06:19:15 GMT

hey try this

your_base_Search earliest=@d+9h latest=now 
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

let me know if this helps you!

Re: How to count the number of eventts starting at 9 am each day?

auaave — Thu, 04 Jan 2018 07:16:16 GMT

@ mayurr98 Great! Thanks! It worked! 🙂

Re: How to count the number of eventts starting at 9 am each day?

mayurr98 — Thu, 04 Jan 2018 07:19:26 GMT

you are welcome,
accept and upvote if it works for you!

Re: How to count the number of eventts starting at 9 am each day?

auaave — Thu, 04 Jan 2018 07:20:04 GMT

Thanks @micahkemp