Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the total count of events for earliest hour and latest hour time for a particular field?

vrmandadi
Builder
‎05-31-2022 01:47 PM

I am trying to get the total count of a field called ID for earliest and latest time for a particular time range. Assume I am looking for a time range of Mor 8AM to 5PM . I want the count of total for a field called "ID" for 8AM TO 9AM and also count from 4PM TO 5PM for field called 'ID" and show what is different if there is a difference in values of ID for hours 8AM TO 9AM and 4PM TO 5PM .

 

Following is the query I am using

index=test
| rename "results{}.id" as "id"
| bin _time span=1h | stats count(id) as total by _time
| delta total as difference
| fillnull value=0
|eval status=case(difference=0, "No change", difference<0, "Device(s) Removed" , difference>0 ,"Device(s) Added")
| search status!="No change"
| rename _time as time | eval time=strftime(time,"%m/%d/%y %H:%M:%S")

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 02:28 PM

Try something like this

index=test (earliest=@d+8h latest=@d+9h) OR (earliest=@d+16h latest=@d+17h)
| rename "results{}.id" as "id"
| bin _time span=1h | stats count(id) as total by _time
| delta total as difference
| fillnull value=0
|eval status=case(difference=0, "No change", difference<0, "Device(s) Removed" , difference>0 ,"Device(s) Added")
| search status!="No change"
| rename _time as time | eval time=strftime(time,"%m/%d/%y %H:%M:%S")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 02:28 PM

Try something like this

index=test (earliest=@d+8h latest=@d+9h) OR (earliest=@d+16h latest=@d+17h)
| rename "results{}.id" as "id"
| bin _time span=1h | stats count(id) as total by _time
| delta total as difference
| fillnull value=0
|eval status=case(difference=0, "No change", difference<0, "Device(s) Removed" , difference>0 ,"Device(s) Added")
| search status!="No change"
| rename _time as time | eval time=strftime(time,"%m/%d/%y %H:%M:%S")
Reply
Solved! Jump to solution

vrmandadi
Builder
‎06-01-2022 10:00 AM

Thank you it worked.I never know that we can add + in earliest and latest.Thank you I learned something new

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎06-01-2022 09:20 AM

I tried to run line by line. I ran the below search but I only got 8AM events.

index=test (earliest=@d+8h latest=@d+9h) OR (earliest=@d+16h latest=@d+17h)
| rename "results{}.id" as "id"
| bin _time span=1h | stats count(id) as total by _time

vrmandadi_0-1654100438141.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 09:26 AM

What time did you run it at? The time selection is based on today - if you want yesterday for example use

index=test (earliest=-1d@d+8h latest=-1d@d+9h) OR (earliest=-1d@d+16h latest=-1d@d+17h)
| rename "results{}.id" as "id"
| bin _time span=1h | stats count(id) as total by _time
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...