Solved: Re: Time slicing issue

manibattula · ‎04-29-2020

I have below query and it should gives result of time filter of last four hours (or) last 24 hours.

|makeresults |bucket _time span=1h|stats count by _time

But it giving only latest hour instead of 4 records for last four hours filter (or) 24 records for last 24 hours filter.

Kindly help us.

richgalloway · ‎04-29-2020

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

manibattula · ‎04-29-2020

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

richgalloway · ‎04-29-2020

makeresults by itself generates a single event with the current timestamp. Therefore, that event will fit into a single hour bucket. If you tell makeresults to generate multiple events, those events will have the same timestamp and you'll still have everything in a single bucket.

Please describe the problem you are trying to solve and we may be able to suggest a solution.

---
If this reply helps you, Karma would be appreciated.

manibattula · ‎04-29-2020

Can you please let us know how to handle the above query getting each event with respect to span limit

richgalloway · ‎04-29-2020

The current query does nothing. Please describe the real problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.

manibattula · ‎04-29-2020

I need the time slicing here like

I want to see four event for span=1h in the last four hours filter .

Something like below

| bin _time span=1h | fields _time

result should be

_time

2020-04-29 10:00
2020-04-29 9:00
2020-04-29 8:00
2020-04-29 7:00

I want to get all the time span irrespective of count have null also,so I am trying to apply cross join using below "join max =0" once I got proper Time slicing

| makeresults | bin _time span=1h | fields _time | join max=0 [search index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" | spath output=osm_zone_id path=dimensions{2}.value | dedup osm_zone_id | fields osm_zone_id] | table _time, osm_zone_id

Kindly help us.

richgalloway · ‎04-29-2020

The timechart command will fill in missing time frames. Try

index="us_west_prod_power_platform" sourcetype="spark:metric" metricName="HRTBT_LHIST_METRIC_DD" host="emr-prod-distributor" 
| spath output=osm_zone_id path=dimensions{2}.value 
| dedup osm_zone_id | fields _time osm_zone_id
| timechart span=1h values(osm_zone_id) as osm_zone_id
| table _time, osm_zone_id

---
If this reply helps you, Karma would be appreciated.

Time slicing issue

configuration

_time

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...