How to get events count by day with relative diffe...

saitejagayala · ‎06-10-2019

Hello,
I need to get the daily Events count per week. till this I did using Query

index = *  myBaseQuery |bucket _time span=day |stats count by _time | sort -count

But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate

| eval relDate=relative_time(initialDate, "-1d@d")
| eval finalRelDate =strftime(relDate, "%F")

My query is, I have to bucket the results(event count) based on finalRelDate, which I am not getting.

Can anybody help on this!!
Thank you.

amitm05 · ‎06-10-2019

Aren't you looking for using the time modifiers something like -
earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count

Let me know if there is more to you ques and I havent got it .

Vijeta · ‎06-10-2019

@saitejagayala Did you try assigning finalRelDate to _time?
before bucket command try adding eval _time=finalRelDate

somesoni2 · ‎06-10-2019

You can run your bucket and stats on relDate (while it's in epoch format).

index = *  myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count

How to get events count by day with relative difference in time

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!