Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Time slicing issue

manibattula
New Member
‎04-29-2020 07:28 AM

I have below query and it should gives result of time filter of last four hours (or) last 24 hours.

|makeresults |bucket _time span=1h|stats count by _time

But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.

Kindly help us.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 07:59 AM

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 09:45 AM

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 07:59 AM

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 08:39 AM

Can you please let us know how to handle the above query getting each event with respect to span limit

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 08:57 AM

The current query does nothing. Please describe the real problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

manibattula
New Member
‎04-29-2020 09:29 AM

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2020 10:26 AM

The timechart command will fill in missing time frames. Try

index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" 
| spath output=osm_zone_id path=dimensions{2}.value 
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...