Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine events based on timestamps in event

manuarora12
New Member
‎11-14-2017 03:10 AM

I have events as following
Category=a starttime="2017-11-14 05:25:22"
Category=b starttime="2017-11-14 05:29:22"
Category=b starttime="2017-11-14 04:28:18"
Category=c starttime="2017-11-14 03:22:21"
Category=a starttime="2017-11-14 06:21:28"

I want all events count by Category by hour of occurance as per starttime. _time might be completely different from starttime.

So results should say something like

Hour Category Count
5 a 1
b 1
6 b 1

0 Karma
Reply

niketn
Legend
‎11-14-2017 12:54 PM

@manuarora12, you can try the following:

<YourBaseSearch>
|  eval _time=strptime(starttime,"%Y-%m-%d %H:%M:%S")
|  timechart span=1h count by Category
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

knielsen
Contributor
‎11-14-2017 05:16 AM

What about

<your search> | rex field=starttime "\S{10}\s(?<Hour>\d\d)" | stats count by Hour, Category

Regards,
Kai.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...