All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

time range splunk search & increase time range

rups260386
New Member
‎06-16-2019 01:37 AM

currently when I am running below query getting hourly count, but I need to have count always start from 00:00 to 01:00, 00:00 to 02:00, 00:00 to 03:00, 00:00 to 04:00, 00:00 to 05:00 ....... 00:00 to current hour.

How I can modify below query so that I will get output hourly but search clock always start from 00:00. It would be great if anyone can help me.

index=mdp_ivc_cdrs sourcetype=prd_mdp_ivc_cdrs earliest=@d latest=now | bucket _time span=1h |timechart span=1h count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%"))) as "Outound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%"))) as "Inbound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Outbound Answered Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Inbound  Answered Calls"

alt text

Preview file
24 KB
0 Karma
Reply

DavidHourani
Super Champion
‎06-16-2019 06:36 AM

Hi @rups260386,

Since you're already counting hour by hour from earliest=@d then all you have to do is add this to the end of your search |streamstats sum(*) as *to make an incremental sum of the results.

Your search should then look like this :

index=mdp_ivc_cdrs sourcetype=prd_mdp_ivc_cdrs earliest=@d latest=now 
| bucket _time span=1h 
| timechart span=1h count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%"))) as "Outound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%"))) as "Inbound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Outbound Answered Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Inbound  Answered Calls"
|streamstats sum(*) as *

Cheers,
David

Reply

martinpu
Communicator
‎06-16-2019 05:00 AM

I am not sure I understand the question, as it seems your query already accomplishes this task.

earliest=@d

in your query, does what you are requesting

Please explain further
Edit:

Are you looking for a cumulative count?

Try this:

index=mdp_ivc_cdrs sourcetype=prd_mdp_ivc_cdrs earliest=@d latest=now 
| bucket _time span=1h 
| timechart span=1h count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%"))) as "Outound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%"))) as "Inbound Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%amazon%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Outbound Answered Calls",count(eval(like(INGRESS_TRUNKCONTEXT,"%vodafone%") AND CDR_TYPE=2 AND ANSWERED_CALL=1)) as "Inbound  Answered Calls" 
| streamstats sum("Outbound Calls") ,sum("Inbound Calls") , sum("Outbound Answered Calls") ,sum("Inbound  Answered Calls")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...