Splunk Enterprise

Time slicing issue

manibattula
New Member

I have below query and it should gives result of time filter of last four hours (or) last 24 hours.

|makeresults |bucket _time span=1h|stats count by _time

But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.

Kindly help us.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

manibattula
New Member

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manibattula
New Member

Can you please let us know how to handle the above query getting each event with respect to span limit

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The current query does nothing. Please describe the real problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manibattula
New Member

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command will fill in missing time frames. Try

index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" 
| spath output=osm_zone_id path=dimensions{2}.value 
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...