Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

bucket _time produce extra count result

dannili
Communicator
‎03-20-2019 12:36 AM

I was trying to compare events from the last two days respectively (and it should be last 24 hours instead of the day before 00:00) I used bucket _time to get the count result from each two day by setting time range in the search box as Last 2 days. However, the count produced have three results instead of 2:

index=* 
| *** base search ***
| bucket _time span=24h
| stats count by _time

Here's my result:

_time                              count
2019-03-18 08:00          1
2019-03-19 08:00          11
2019-03-20 08:00          15

But the correct result should be:

_time                           count
2019-03-19 08:00            12
2019-03-20 08:00            15

Does anyone know what's the problem? Thank you so much for the help!

0 Karma
Reply

dannili
Communicator
‎03-20-2019 12:47 AM

Right now my workaround solution is using eval:

| eval _time = _time -28800
| bucket _time span=24h
| eval _time = _time +28800
| stats count by _time

Because I checked the only event on 18th is on 8 AM but I wonder if there's any better solution?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...