Solved: Regroup Splunk events with almost similar _time

Zakary_n · ‎01-30-2019

Hello all,

Every 10 seconds, I send a bunch of events to Splunk.
I need to count how many events I receive every 10 sec but I can't get the real number because of the fact that Splunk doesn't regroup them together if their time is even slightly different.

Very simple example :

10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!

10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.055 Hello Splunk!

Splunk would regroup those events into 4 groups (events at 10.052 , 10.054, 20.052, 20.055) instead of 2 groups (events at 10.50 and at 20.50 for example).

For such an example, I would like to get something like :
10 : 00 : 10.00 -> 4 Hello Splunk
10 : 00 : 20.00 -> 3 Hello Splunk

Is there a workaround to that ?

Thank you.

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

View solution in original post

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

vishaltaneja070 · ‎01-30-2019

@Zakary_n

Thank you 🙂

vishaltaneja070 · ‎01-30-2019

try using timechart with span=10sec

i.e. |timechart count span=10s

Zakary_n · ‎01-30-2019

Yeah simple as that. Should have thought about that, haven't used Splunk in quite a while. Thank you.

Zakary_n · ‎01-30-2019

Completly forgot about timechart omg! Thank you, doing it atm

Regroup Splunk events with almost similar _time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation