Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve day histogram in 20 minute interval?

Ste
Path Finder
‎02-02-2023 05:11 AM

The code below does create a table/ scatter plot showing the warnings per hour of day. 

All warnings between 00:00 and 00:59 will be counted/ listed in date_hour 0, warnings from 01:00 until 01:59 will be counted in date_hour 1, ....

If the time range is set across multiple days I still have the date_hours 0...23 all the warnings will be added independent of the date.

 

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| stats count as warning by date_hour, uniqueID
| table uniqueID date_hour warning

 

For the kind of evaluation we're doing we would need to have shorter counting intervals than the one given by date_hour, e.g. 20 minutes.

The question is: how to update the code to get counting intervals smaller than one hour???

Below I managed to reduce the time interval to 20 minutes.  

 

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

 

 But: the date is still in there so I have a 20 min counting interval one day after the other. And the interval string is no more human readyble in the table. 

Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 05:17 AM 
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H:%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Ste
Path Finder
‎02-02-2023 06:33 AM

Most probably I got it:

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H.%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

 

Changing the format string from "%H:%M"  to "%H.%M" seems to do the trick

0 Karma
Reply
Solved! Jump to solution

Ste
Path Finder
‎02-02-2023 06:23 AM

@ITWhisperer Thank you, that was fast. 

I do get now a proper table with exactly the data I was looking for. 

But if I try to display this table as a scatter plot via Visualization I got a strange plot:

scatter.jpg

It looks like the scatter plot can not handle the interval information.  

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 06:38 AM 
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
``` scatter plot will need a numeric ```
| eval interval = tonumber(strftime(interval,"%H%M"))
| stats count as warning by interval, uniqueID
| table uniqueID interval warning
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 05:17 AM 
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H:%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...