topic Re: How to write one search find the count for three different time frames without using append or multisearch? in Splunk Search

How to write one search find the count for three different time frames without using append or multisearch?

Venkat_16 — Wed, 29 Apr 2015 06:27:23 GMT

Hi,

Please help me sort this out.
I have a single search like index=test sourcetype= test...| stats count, but the trick here is I have to find the count for -30m@m, -15m@m and -5m@m....and the condition is we shouldn't use append or multisearch..it should run in a single query.

the output would look something like below:

count(last30min)  count(last15min)  count(last5m)
      xxx               xxxx            xxxxx

NOTE: it should run in a single search, no append or multisearch

Re: How to write one search find the count for three different time frames without using append or multisearch?

rsennett_splunk — Wed, 29 Apr 2015 07:21:59 GMT

Can you explain why you have the condition banning append (and presumably appendcols) and subsearches?

Re: How to write one search find the count for three different time frames without using append or multisearch?

vganjare — Wed, 29 Apr 2015 08:46:42 GMT

Hi,

You can create a field which identifies the time frame bucket. e.g.

..| eval currentTime=now() | eval timeBucket=if(_time > (currentTime-5mins), "5Mins", next conditions for 15 and 30 mins ) | stats count by timeBucket

Note: convert mins in seconds for comparision.

Thanks!!

Re: How to write one search find the count for three different time frames without using append or multisearch?

Venkat_16 — Fri, 01 May 2015 17:24:05 GMT

The condition was the env we are using can run only 10 concurrent searches and i have already 9 searches in place so thats why we ignored append