Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to group by day but with different time ?

mah
Builder
‎09-23-2020 07:53 AM

Hi, 

I have a table like this : 

mah_0-1600872463368.png

I want to group by day and tried the commande | bucket span=1d field_date but without success. 

How can I do ? 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 08:53 AM

The bin is to set up buckets for a stats command - if we assume you want to sum the OK, KO and TOTAL columns by day

| eval time=strptime(substr(field_date,1,10),"%Y-%m-%d")
| fieldformat time=strftime(time,"%Y-%m-%d")
| bin time span=1d
| stats sum(OK) as OK sum(KO) as KO sum(TOTAL) as TOTAL by time

 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 08:19 AM

Is your field a string rather than a datetime field? Perhaps you can create a time field from the first 10 characters of the field_date?

| eval day=strptime(substr(field_date,1,10),"%Y-%m-%d")
| bin span=1d day
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-23-2020 08:23 AM

Hi @ITWhisperer ,

It returns this : 

mah_0-1600874499754.png

How can I write values of day field in %Y%m%d ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 08:27 AM 
| fieldformat day=strftime(day,"%Y%m%d")
0 Karma
Reply
Solved! Jump to solution

mah
Builder
‎09-23-2020 08:44 AM

Thanks, 

Now I have this :

mah_0-1600875652131.png

 I applied the bin command, it doesn't work. I tried the bucket command, it doesn't work too. 

| eval time=strptime(substr(field_date,1,10),"%Y-%m-%d")
| fieldformat time=strftime(time,"%Y-%m-%d")
| table time OK KO TOTAL
| bin time span=1d

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 08:53 AM

The bin is to set up buckets for a stats command - if we assume you want to sum the OK, KO and TOTAL columns by day

| eval time=strptime(substr(field_date,1,10),"%Y-%m-%d")
| fieldformat time=strftime(time,"%Y-%m-%d")
| bin time span=1d
| stats sum(OK) as OK sum(KO) as KO sum(TOTAL) as TOTAL by time

 

Reply
Solved! Jump to solution

mah
Builder
‎09-24-2020 12:40 AM

hi @ITWhisperer ,

Exactly what I was looking for. 

I didn't know that the stat command had to be written after the bin command. That why the bin didn't work. 

Thank you very much. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...