topic Re: To count the filed with different time range in Splunk Search

To count the filed with different time range

parthiban — Tue, 08 Oct 2024 10:16:27 GMT

I have events that having multiple countries... I want to count the country field and with different time range. It is need to sort by highest country to lowest.

EX Country Last 24h Last 30 days Last 90 days

US 10 50 100

Aus 8 35 80

I need query kindly assist me.

Re: To count the filed with different time range

ITWhisperer — Tue, 08 Oct 2024 12:28:40 GMT

| bin _time span=1d | stats count(eval(_time>=relative_time(now(),"@d-1d"))) as 24hCount count(eval(_time>=relative_time(now(),"@d-30d"))) as 30dCount count(eval(_time>=relative_time(now(),"@d-90d"))) as 90dCount by Country

Re: To count the filed with different time range

parthiban — Tue, 08 Oct 2024 16:19:36 GMT

Hi @ITWhisperer
The query is working, but the result is not as expected. The timeframe is also not returning the correct results. I need the highest count for the past 30 days, with the country having the highest count appearing first, followed by other countries in descending order.

The below is the current result.

Re: To count the filed with different time range

PickleRick — Tue, 08 Oct 2024 19:05:17 GMT

Use the "sort" command, Luke!

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

Re: To count the filed with different time range

ITWhisperer — Tue, 08 Oct 2024 22:50:42 GMT

So how would this look? You can only sort in an particular order of precedence i.e. 30days first then if they are equal, 90days, then if still equal 1 day, you know that right?

Re: To count the filed with different time range

parthiban — Thu, 10 Oct 2024 05:52:18 GMT

Hi @ITWhisperer

I made small changes in given query. It is working as expected.. Thanks for your support