topic Re: Increase count by 1 for every 10 Minutes in Splunk Search

Increase count by 1 for every 10 Minutes

denamza — Tue, 29 Sep 2020 19:01:03 GMT

Hi All,

index="XXX" |stats latest(_time) as last_seen,values(ID) as ID, count by IP_Add | eval Filter=if(count%2==0,"Even","Odd") | search Filter="Odd" |eval hours_since=(now()-last_seen) | convert timeformat="%d-%b-%y %H:%M" ctime(last_seen) | eval readable = tostring(hours_since, "duration") | sort - last_seen | rename readable as "Running for: Days+:HH:MM:SS", last_seen as "Started",IP_Add as "IP" | table ID IP Started "Running for: Days+:HH:MM:SS" count |

How do i increase count to +1 for every let's say 10 minutes that shows on duration until the stop event is received?

Thanks!!

Re: Increase count by 1 for every 10 Minutes

niketn — Thu, 12 Apr 2018 20:38:40 GMT

You would need to explain more about your use case with sample data as to what start event and end event look like. Also can you not use end epoch time - start epoch time to get duration as seconds and then divide by 600 To convert it to 10 minutes?

Re: Increase count by 1 for every 10 Minutes

alanden_splunk — Wed, 13 Jun 2018 14:24:44 GMT

To increase count by 1 from its original value, use a counter with streamstats on a bucket of 10m:

| bucket last_seen AS last_bucket span=10m | streamstats dc(last_bucket) AS counter | eval count=count+counter