Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Time slicing issue

manibattula
New Member
‎04-29-2020 07:28 AM

I have below query and it should gives result of time filter of last four hours (or) last 24 hours.

|makeresults |bucket _time span=1h|stats count by _time

But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.

Kindly help us.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 07:59 AM

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 09:45 AM

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 07:59 AM

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 08:39 AM

Can you please let us know how to handle the above query getting each event with respect to span limit

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 08:57 AM

The current query does nothing. Please describe the real problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 09:29 AM

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 10:26 AM

The timechart command will fill in missing time frames. Try

index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" 
| spath output=osm_zone_id path=dimensions{2}.value 
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...