Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get events count by day with relative difference in time

saitejagayala
New Member
‎06-10-2019 07:18 AM

Hello,
I need to get the daily Events count per week. till this I did using Query

index = *  myBaseQuery |bucket _time span=day |stats count by _time | sort -count

But, there is some relative time which is happening, as per functionality and that relative time is stored in the variable finalRelDate

| eval relDate=relative_time(initialDate, "-1d@d")
| eval finalRelDate =strftime(relDate, "%F")

My query is, I have to bucket the results(event count) based on finalRelDate, which I am not getting.

Can anybody help on this!!
Thank you.

0 Karma
Reply

amitm05
Builder
‎06-10-2019 07:54 AM

Aren't you looking for using the time modifiers something like -
earliest=-1w@w latest=@d index=_internal sourcetype=splunkd* |bucket _time span=day |stats count by _time | sort -count

Let me know if there is more to you ques and I havent got it .

0 Karma
Reply

Vijeta
Influencer
‎06-10-2019 07:51 AM

@saitejagayala Did you try assigning finalRelDate to _time?
before bucket command try adding eval _time=finalRelDate

0 Karma
Reply

somesoni2
Revered Legend
‎06-10-2019 07:50 AM

You can run your bucket and stats on relDate (while it's in epoch format).

index = *  myBaseQuery | eval relDate=relative_time(initialDate, "-1d@d")|bucket relDate span=day |stats count by relDate | sort -count
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...