How to create Group events based off a time and an ID?

add53 — Fri, 06 Jan 2023 22:30:10 GMT

I'm fairly new to Splunk and I am having some trouble grouping somethings they way I want

I have some data which all have a certain ID and a multitude of other values. I want to be able to group this data if they have the same ID, but only group them in a maximum time interval of 24 hours. This I figured out pretty easily, however, the problem is I would also like to see the actual duration of events.

For example, say I have 10 or so events that all have the same ID and they occur within a 5 minute period, I'd want to group them together. I'd also like to be able to group 10 or so events that have the same ID and occur within a 23 hour period.

I've tried using bins, which groups them properly, but then it gives them all the exact same time, so I don't know how to find the exact duration. I've also tried using time charts and transactions with poor results.

Does anyone have any ideas?

Re: Group events based off a time and an ID

ITWhisperer — Fri, 06 Jan 2023 19:05:50 GMT

Try something like this

| bin span=24h _time as time_bucket | stats min(_time) as earliest max(_time) as latest by time_bucket id | eval duration = latest - earliest

Re: Group events based off a time and an ID

add53 — Fri, 06 Jan 2023 20:31:40 GMT

That worked great, thanks!

topic Re: Group events based off a time and an ID in Splunk Search

How to create Group events based off a time and an ID?

Re: Group events based off a time and an ID

Re: Group events based off a time and an ID