Splunk Search

Bucket Search Command Question

Ant1D
Motivator

Hey,

How would I go about writing a search that is able to show me how many events are found in a particular index (e.g. index=main) between Monday 4pm and Tuesday 11am every week between these times?

Any examples or an actual answer to this question would be great! 🙂

I have had a look at the bucket search command but not sure how to use it to achieve this (if possible).

The reason I say that I want this every week between these times is because I am aware that if I want to see these results for just one time (e.g. Monday 20th September 4pm to Tuesday 21st September 11am) then I could use the custom timerangepicker option in the Splunk Search app.

Thanks in advance for your help

0 Karma
1 Solution

ziegfried
Influencer

Count by week:

index=main (date_wday=tuesday date_hour>=16) OR (date_wday=wednesday date_hour<11) | eval week=strftime(_time,"%V") | stats count by week

or the sum:

index=main (date_wday=tuesday date_hour>=16) OR (date_wday=wednesday date_hour<11) | stats count


EDIT:

For each weekday:

index=main (date_wday=monday date_hour>=16) OR (date_wday=tuesday date_hour>=16 OR date_hour<11) OR (date_wday=wednesday date_hour<11) OR (date_wday=wednesday date_hour>=16 OR date_hour<11) OR (date_wday=thursday date_hour<11) OR (date_wday=thursday date_hour>=16 OR date_hour<11) OR (date_wday=friday date_hour<11) |...

View solution in original post

ziegfried
Influencer

Count by week:

index=main (date_wday=tuesday date_hour>=16) OR (date_wday=wednesday date_hour<11) | eval week=strftime(_time,"%V") | stats count by week

or the sum:

index=main (date_wday=tuesday date_hour>=16) OR (date_wday=wednesday date_hour<11) | stats count


EDIT:

For each weekday:

index=main (date_wday=monday date_hour>=16) OR (date_wday=tuesday date_hour>=16 OR date_hour<11) OR (date_wday=wednesday date_hour<11) OR (date_wday=wednesday date_hour>=16 OR date_hour<11) OR (date_wday=thursday date_hour<11) OR (date_wday=thursday date_hour>=16 OR date_hour<11) OR (date_wday=friday date_hour<11) |...

Ant1D
Motivator

Hey Ziegfried, your solution for each weekday was not quite what I was looking for but I have been able to tweak it to get the desired results. The link also is very useful. Thank you for your help.

0 Karma

Ant1D
Motivator

Thanks for the link. I will be sure to bookmark it 🙂 Thank you for your solution. Seems a bit repetitive lol but it looks ok so I will test it/tweak it and see how it goes.

0 Karma

ziegfried
Influencer

it the ISO 8601 week number of the year (01-54). %U or %W would give you the same result (they differ only in wheater week start is Sun or Mon). See http://www.tutorialspoint.com/python/time_strftime.htm and http://docs.python.org/library/datetime.html

Ant1D
Motivator

Thanks Ziegfried, how would I get this search to work for this same time period but for each weekday? (E.g. Monday 4pm to Tuesday 11am, Tuesday 4pm to Wendesday 11am...up to Thursday 4pm to Friday 11am)

0 Karma

Ant1D
Motivator

what does 'eval week=strftime(_time,"%V")' do? What does the %V represent?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...