topic Re: converting this search to hours instead of days in Splunk Search

converting this search to hours instead of days

Peterm1993 — Fri, 10 Nov 2023 00:52:39 GMT

Hi im trying to convert this search to show totals in hours instead of days/dates can anyone help me please?

Re: converting this search to hours instead of days

inventsekar — Fri, 10 Nov 2023 01:18:32 GMT

Hi @Peterm1993 .. do you mean, you want to convert number of days to number of hours (days divided by 24) .. OR.. when you are using that strftime, instead of picking up the days(%d), you want to pick up the hours... please confirm.. thanks.

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep* | where Dimension>0 OR ProtrusionError>0 OR OffCentreError>0 | table _time OrderId ProtrusionError OffCentreError Dimension * | bin _time span=1d | eval Total_time=strftime(_time,"%d") ```Comment - looks like you miss-typed the "Total_time" as "_time"``` | eval foo=ProtrusionError+OffCentreError+Dimension | chart sum(foo) as ErrorFrequency over Location by _time useother=f limit=100 | addtotals | sort 0 - Total _time | fields - TOTAL

Re: converting this search to hours instead of days

richgalloway — Fri, 10 Nov 2023 01:20:20 GMT

Change the bin command to set the desired interval. Then adjust the strftime function.

| bin _time span=1h | eval _time=strftime(_time,"%H")

Re: converting this search to hours instead of days

Peterm1993 — Fri, 10 Nov 2023 01:50:32 GMT

hi @inventsekar I'm trying to convert the results from a daily result to a hourly breakdown so instead of for example and apologies cause I'm very new to splunk

9/11/23 165 errors

it would be

1am-2am12 errors

2am-3am 35 errors

3am-4am 12 errors

totaling to 165 errors

Re: converting this search to hours instead of days

inventsekar — Fri, 10 Nov 2023 01:58:34 GMT

Hi @Peterm1993 .. As Rich suggested, the bin command should be adjusted to hour and then the strftime command should be edited from "%d" to "%H" (if this %H does not work, then, pls copy paste a sample event's _time value... we should double check how the hours looks.. (is it 12 hrs or is it 24 hrs))

Please try this Search Query.. thanks.

Re: converting this search to hours instead of days

Peterm1993 — Fri, 10 Nov 2023 02:00:17 GMT

was what i was looking for!

Re: converting this search to hours instead of days

inventsekar — Fri, 10 Nov 2023 02:02:46 GMT

Hi @Peterm1993 .. Please add karma / upvote the reply which helped you.. thanks.