Re: How to get events count by day with relative d...

saitejagayala · ‎06-10-2019

Hello,
I need to get the daily Events count per week. till this I did using Query

index = *  myBaseQuery |bucket _time span=day |stats count by _time | sort -count

But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate

| eval relDate=relative_time(initialDate, "-1d@d")
| eval finalRelDate =strftime(relDate, "%F")

My query is, I have to bucket the results(event count) based on finalRelDate, which I am not getting.

Can anybody help on this!!
Thank you.

amitm05 · ‎06-10-2019

Aren't you looking for using the time modifiers something like -
earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count

Let me know if there is more to you ques and I havent got it .

Vijeta · ‎06-10-2019

@saitejagayala Did you try assigning finalRelDate to _time?
before bucket command try adding eval _time=finalRelDate

somesoni2 · ‎06-10-2019

You can run your bucket and stats on relDate (while it's in epoch format).

index = *  myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count

How to get events count by day with relative difference in time

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience