Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get events count by day with relative difference in time

saitejagayala
New Member
‎06-10-2019 07:18 AM

Hello,
I need to get the daily Events count per week. till this I did using Query

index = *  myBaseQuery |bucket _time span=day |stats count by _time | sort -count

But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate

| eval relDate=relative_time(initialDate, "-1d@d")
| eval finalRelDate =strftime(relDate, "%F")

My query is, I have to bucket the results(event count) based on finalRelDate, which I am not getting.

Can anybody help on this!!
Thank you.

0 Karma
Reply

amitm05
Builder
‎06-10-2019 07:54 AM

Aren't you looking for using the time modifiers something like -
earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count

Let me know if there is more to you ques and I havent got it .

0 Karma
Reply

Vijeta
Influencer
‎06-10-2019 07:51 AM

@saitejagayala Did you try assigning finalRelDate to _time?
before bucket command try adding eval _time=finalRelDate

0 Karma
Reply

somesoni2
Revered Legend
‎06-10-2019 07:50 AM

You can run your bucket and stats on relDate (while it's in epoch format).

index = *  myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...