Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can We add diffrent search timing

ravindra_ap
Explorer
‎04-27-2013 11:26 AM

Hi,

Is it possible to run the same search with diffrent search time?

My requirement to have the count of transaction for particular hour in last 5 weeks , report looks as below:

Tran Type 25/Apr/13 07.00 -08.00 24/Apr/13 07.00 -08.00 23/Apr/13 07.00 -08.00

Get 100 80 95
Post 90 78 102

Tags (1)
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎04-28-2013 06:21 PM

Appending/subsearches can be pretty expensive in terms of performance and sometimes pretty hard to keep track of. What you probably need here is to run a single search over the last 5 weeks (or days, or whatever your window is) BUT scope it to the right hour interval. For example, this search will go back 5 days, search only between 9pm and 10pm and chart the count of events per method (GET or POST) for said slot of each day:

index=_internal source=*access* date_hour=21 earliest=-5d | chart count over method by date_mday

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2013 11:34 AM

You could run five subsearches appended to each other, with one set to the one hour you're looking for each week.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2013 12:13 PM

Sure. This looks for the count of events in _internal for the past hour plus the same time in the past few weeks:

index=_internal earliest=-h | stats count | addinfo | append [search index=_internal earliest=-w-h latest=-w | stats count | addinfo] | append [search index=_internal earliest=-2w-h latest=-2w | stats count | addinfo] | append [search index=_internal earliest=-3w-h latest=-3w | stats count | addinfo] | append [search index=_internal earliest=-4w-h latest=-4w | stats count | addinfo] | fieldformat info_max_time = strftime(info_max_time, "%+") | fields count info_max_time
0 Karma
Reply

ravindra_ap
Explorer
‎04-27-2013 11:45 AM

Thanks Martin. Can you please give the example query if you have any as I am not sure how we can give the search time inside the search querty?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...