Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group events by time range and show the count in a Pie Chart?

ips_mandar
Builder
‎08-22-2019 01:11 AM

Hi,
I want to group events by time range like below-
1. 1-6am
2. 6-9 am
3. 9-3.30am
4. 3.30-6.30pm
5. 6.30-1am

and show count of event for these time range in pie chart. how can I group events by timerange?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-22-2019 02:34 AM

3rd row you mean to say 9 am - 3:30 pm right?
try this, this will split all values into grps,verify the output and then sue further
NOTE - bin span of 1 h has been used to trim down counts for testing as long as the group split works thishas no impact on removal

| eval time =strftime(_time,"%I:%M%P")
| eval time1 =strptime(time,"%I:%M%P")| eval mrkr1=strptime("06:00am","%I:%M%P")
|  eval mrkr2=strptime("09:00am","%I:%M%P")
|  eval mrkr3=strptime("03:30pm","%I:%M%P")
|  eval mrkr4=strptime("06:30pm","%I:%M%P")
|  eval mrkr5=strptime("01:00am","%I:%M%P")
| eval grp=case(time1>mrkr5 AND time1 <=mrkr1,"grp1",time1>mrkr1 AND time1 <=mrkr2,"grp2",time1>mrkr2 AND time1 <=mrkr3,"grp3",time1>mrkr3 AND time1 <=mrkr4,"grp4",time1>mrk4 AND time1 <=mrkr5,"grp5")
| stats values(time) by grp

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-22-2019 02:34 AM

3rd row you mean to say 9 am - 3:30 pm right?
try this, this will split all values into grps,verify the output and then sue further
NOTE - bin span of 1 h has been used to trim down counts for testing as long as the group split works thishas no impact on removal

| eval time =strftime(_time,"%I:%M%P")
| eval time1 =strptime(time,"%I:%M%P")| eval mrkr1=strptime("06:00am","%I:%M%P")
|  eval mrkr2=strptime("09:00am","%I:%M%P")
|  eval mrkr3=strptime("03:30pm","%I:%M%P")
|  eval mrkr4=strptime("06:30pm","%I:%M%P")
|  eval mrkr5=strptime("01:00am","%I:%M%P")
| eval grp=case(time1>mrkr5 AND time1 <=mrkr1,"grp1",time1>mrkr1 AND time1 <=mrkr2,"grp2",time1>mrkr2 AND time1 <=mrkr3,"grp3",time1>mrkr3 AND time1 <=mrkr4,"grp4",time1>mrk4 AND time1 <=mrkr5,"grp5")
| stats values(time) by grp
0 Karma
Reply
Solved! Jump to solution

ips_mandar
Builder
‎08-22-2019 06:41 AM

Thanks for your answer ..
but it won't satisfy all condition like If my _time is 07pm then using above epoch comparison it won't give me result though it will fall under 6.30pm to 01am but epoch value 01am is less than 06.30 pm.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-22-2019 10:24 AM

hmm i see what you mean..the if conditions was always going to be tricky..instead of 1 am what if we make it 12:59 PM in mrkr 5?

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-22-2019 10:25 AM

my main effort has been to show that you can grp by using mrkr times, the cae/ifs are a bit tricky but i think together we can fix it, what say?

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-23-2019 11:52 AM

hi @ips_mandar
Any updates?

0 Karma
Reply
Solved! Jump to solution

ips_mandar
Builder
‎08-26-2019 06:07 AM

Thanks I resolved issue with said idea

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...