Solved: Re: Regroup Splunk events with almost similar _tim...

Zakary_n · ‎01-30-2019

Hello all,

Every 10 seconds, I send a bunch of events to Splunk.
I need to count how many events I receive every 10 sec but I can't get the real number because of the fact that Splunk doesn't regroup them together if their time is even slightly different.

Very simple example :

10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!

10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.055 Hello Splunk!

Splunk would regroup those events into 4 groups (events at 10.052 , 10.054, 20.052, 20.055) instead of 2 groups (events at 10.50 and at 20.50 for example).

For such an example, I would like to get something like :
10 : 00 : 10.00 -> 4 Hello Splunk
10 : 00 : 20.00 -> 3 Hello Splunk

Is there a workaround to that ?

Thank you.

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

View solution in original post

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

vishaltaneja070 · ‎01-30-2019

@Zakary_n

Thank you 🙂

vishaltaneja070 · ‎01-30-2019

try using timechart with span=10sec

i.e. |timechart count span=10s

Zakary_n · ‎01-30-2019

Yeah simple as that. Should have thought about that, haven't used Splunk in quite a while. Thank you.

Zakary_n · ‎01-30-2019

Completly forgot about timechart omg! Thank you, doing it atm

Regroup Splunk events with almost similar _time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation