Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can We add diffrent search timing

ravindra_ap
Explorer
‎04-27-2013 11:26 AM

Hi,

Is it possible to run the same search with diffrent search time?

My requirement to have the count of transaction for particular hour in last 5 weeks , report looks as below:

Tran Type 25/Apr/13 07.00 -08.00 24/Apr/13 07.00 -08.00 23/Apr/13 07.00 -08.00

Get 100 80 95
Post 90 78 102

Tags (1)
0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎04-28-2013 06:21 PM

Appending/subsearches can be pretty expensive in terms of performance and sometimes pretty hard to keep track of. What you probably need here is to run a single search over the last 5 weeks (or days, or whatever your window is) BUT scope it to the right hour interval. For example, this search will go back 5 days, search only between 9pm and 10pm and chart the count of events per method (GET or POST) for said slot of each day:

index=_internal source=*access* date_hour=21 earliest=-5d | chart count over method by date_mday

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2013 11:34 AM

You could run five subsearches appended to each other, with one set to the one hour you're looking for each week.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2013 12:13 PM

Sure. This looks for the count of events in _internal for the past hour plus the same time in the past few weeks:

index=_internal earliest=-h | stats count | addinfo | append [search index=_internal earliest=-w-h latest=-w | stats count | addinfo] | append [search index=_internal earliest=-2w-h latest=-2w | stats count | addinfo] | append [search index=_internal earliest=-3w-h latest=-3w | stats count | addinfo] | append [search index=_internal earliest=-4w-h latest=-4w | stats count | addinfo] | fieldformat info_max_time = strftime(info_max_time, "%+") | fields count info_max_time
0 Karma
Reply

ravindra_ap
Explorer
‎04-27-2013 11:45 AM

Thanks Martin. Can you please give the example query if you have any as I am not sure how we can give the search time inside the search querty?

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...