topic Re: Bucket not bucketing Z after calling chart X over Y by Z in Splunk Search

Bucket not bucketing Z after calling chart X over Y by Z

kkas — Wed, 17 Jun 2015 17:10:01 GMT

I am trying to get the output to look like this

Process Name | 10:00:00 | 10:10:00| 10:20:00...etc
_________________________________________________
C:\          |    0       |    3       |     1
C:\          |    1       |   2        |     0

My Search currently looks like this:

search sourcetype="Beta" Account_Name=Alpha|eval time=strftime(_time, "%H:%M:%S")|bucket time span=10m|chart count over New_Process by time

It instead outputs

Process Name | 10:00:01 | 10:00:02| 10:00:03...etc
    _________________________________________________
    C:\          |    0       |    3       |     1
    C:\          |    1       |   2        |     0

Any idea how to fix this? or what may be wrong?

Re: Bucket not bucketing Z after calling chart X over Y by Z

woodcock — Wed, 17 Jun 2015 17:44:05 GMT

Try this (the last time should be _time😞

 search sourcetype="Beta" Account_Name=Alpha|eval time=strftime(_time, "%H:%M:%S")|bucket time span=10m|chart count over New_Process by _time

Re: Bucket not bucketing Z after calling chart X over Y by Z

martin_mueller — Wed, 17 Jun 2015 18:14:24 GMT

You can't bucket a string into ten-minute segments, so you will need to reorder your query like so:

 sourcetype="Beta" Account_Name=Alpha | bucket _time span=10m |eval time=strftime(_time, "%H:%M:%S") | chart count over New_Process by time

That will apply the bucketing while the timestamp still is a timestamp, and then turn it into a string you want for neat displaying.

Re: Bucket not bucketing Z after calling chart X over Y by Z

martin_mueller — Wed, 17 Jun 2015 18:14:51 GMT

That doesn't use the bucketed value at all in the chart.

Re: Bucket not bucketing Z after calling chart X over Y by Z

woodcock — Wed, 17 Jun 2015 18:18:45 GMT

You are correct, there was a typo and some extra stuff. it is fixed now; please retry:

  sourcetype="Beta" Account_Name=Alpha|bucket _time span=10m|chart count over New_Process by _time

Re: Bucket not bucketing Z after calling chart X over Y by Z

kkas — Wed, 17 Jun 2015 18:22:40 GMT

I had tried switching in and out _time for time but it doesn't change the layout like im looking for. only changes between the evaluated format and the original time format

Re: Bucket not bucketing Z after calling chart X over Y by Z

kkas — Wed, 17 Jun 2015 18:34:40 GMT

Thanks!!! this worked!

Re: Bucket not bucketing Z after calling chart X over Y by Z

kkas — Wed, 17 Jun 2015 18:43:34 GMT

Thanks for your input!
I'm not sure if it works because I don't know how to read the mumbo jumbo time it spits out but I get the same table format as the question stated except the time slots are displayed as follows:
1434553200|1434554400|1434555000|1434555600...etc

I'm not sure if those translate to time 10 minutes apart, but I thought I would let you know what happened for both of our education 🙂
I tried Martin's approach and it worked, but I still appreciate your input as always woodcock!