Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding data from multiple fields into a new field

shiv1593
Communicator
‎01-17-2018 09:00 AM

Hi All,

Out of the many data fields, I have three fields "Created Time", "Number" and "Priority" (Image below). What I want to do is

1> Create three new separate fields named "Morning" where I want the timings between 7:15 AM-3:45 PM, "Afternoon" Where the time is from 3:50 PM to 11 PM and "Night" where the time is from 11:03 PM to 7 AM. (Picture Below)

2> Then count the number of tickets corresponding to those time periods and display their count under those three groups accordingly (Like in the picture below)

alt text

How can I do the same.

Thanks in advance.

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎01-18-2018 03:33 AM

Hi @shiv1593,
Run below query... I have tested it

<your current search giving fields "Created Time", "Number" and "Priority" >
 | rename COMMENT as "Converting Created Time values to number of seconds past midnight"
 | eval CTime=strptime('Created Time',"%I:%M:%S %p")-relative_time(now(),"@d")
 | eval Period=case(CTime>=26100 AND CTime<56700,"Morning", CTime>=57000 AND CTime<82800,"Afternoon", true(),"Night")
 | chart count over Period by Priority

Hope this helps you..

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎01-18-2018 03:33 AM

Hi @shiv1593,
Run below query... I have tested it

<your current search giving fields "Created Time", "Number" and "Priority" >
 | rename COMMENT as "Converting Created Time values to number of seconds past midnight"
 | eval CTime=strptime('Created Time',"%I:%M:%S %p")-relative_time(now(),"@d")
 | eval Period=case(CTime>=26100 AND CTime<56700,"Morning", CTime>=57000 AND CTime<82800,"Afternoon", true(),"Night")
 | chart count over Period by Priority

Hope this helps you..

Reply
Solved! Jump to solution

shiv1593
Communicator
‎01-18-2018 03:51 AM

Hello,

That is working like a charm. Thank you

Two quick questions.

  1. I want to understand how the query worked. Can you explain me these two codes

    | eval CTime=strptime('Created Time',"%I:%M:%S %p")-relative_time(now(),"@d")

    | eval Period=case(CTime>=26100 AND CTime<56700,"Morning", CTime>=57000 AND CTime<82800,"Afternoon", true(),"Night")

  2. Can you please tell me how did you calculate these values? 26100,56700,57000 and 82800

Thanks

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-18-2018 04:07 AM

  1. strptime command is used to convert timestamp into epoch(in seconds) so here 'Created Time' is converted into seconds then relative_time command here will determines the UNIX time value of the start of today, based on the value of now() i.e. it will bring today's time to today's starting time(12:00 AM) and convert into epoch
    So, after substraction cTime will contain today's time in seconds.
    refer http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions

  2. 26100---> as you mentioned Morning time should be in between 7.15 am and 3:45 PM ..so I have converted time into seconds as (7*60*60)+(15*60)=26100 similarly calculated other time into seconds..
    Then checked if cTime is falls between which conditions and as per assign period.

Hope this helps you..Let me know in case of any query

Reply
Solved! Jump to solution

shiv1593
Communicator
‎01-18-2018 04:39 AM

Thanks a lot! It really has helped me a lot.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-17-2018 09:09 AM

Try like this

your current search giving fields "Created Time", "Number" and "Priority" 
| rename COMMENT as "Converting Created Time values to number of seconds past midnight"
| eval CTime=strptime('Created Time',"%H:%M:%S %p")-relative_time(now(),"@d")
| eval Period=case(CTime>=26100 AND CTime<56700,"Morning", CTime>=57000 AND CTime<82800,"Afternoon", true(),"Night")
| chart count over Period by Priority
Reply
Solved! Jump to solution

shiv1593
Communicator
‎01-17-2018 09:23 AM

Hello,

I tried it. It is giving just the values for Morning and Night. 

        Period    Priority 2    Priority 3  Priority 4
    1   Morning   177           6204            32
    2   Night     168           6272            24
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-17-2018 09:27 AM

Try this

your current search giving fields "Created Time", "Number" and "Priority" 
 | eval CTime=strptime('Created Time',"%H:%M:%S %p")
 | eval Period=case(CTime>=strptime("7:15 AM","%H:%M %p") AND CTime<strptime("3:45 PM","%H:%M %p"),"Morning", CTime>=strptime("3:50 PM","%H:%M %p")AND CTime<strptime("11:00 PM","%H:%M %p"),"Afternoon", true(),"Night")
 | chart count over Period by Priority
0 Karma
Reply
Solved! Jump to solution

shiv1593
Communicator
‎01-18-2018 02:36 AM

Tried it. It is now giving values of Afternoon and Night:

    Period         Priority 2        Priority 3   Priority 4
1   Afternoon     233                7592             20
2   Night          112               4884             36
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...