Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count days with events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I have looked all over for a solution but without luck, so i'm approaching you hoping to find a solution.
I would like to count the amount of days (not the amount of events) that has events based on a ctime value in the log.
Sample log:
1398963749 1398963749 1432 1404320549
0 0 10446976 15988 2 4 0
DD_Servers_2003-2008_1398963749_FULL.f
NULL NULL 0 1 0 2 1399050149 NULL 1 0 0 0 0 0 0 NULL 0 0 0 NULL 777220 1 0 1999619 0 0 NULL 3 1398963602 3 0 NULL NULL 0 1 0 0
The first field states the EPOCH time of the event start (i should mention right away that Splunk time is not relevant as it is the time of insertion to the index, not this field)
what I do is:
index="foo" | convert ctime(bar)
From here on im stuck as to how to count the amount of days with the event (i.e. 33 days with events)
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do it like this
index="foo"
| bucket ctime span=1d
| stats dc(ctime) as numberofuniquedays
If you want to check that this makes sense, try
index="foo"
| bucket ctime span=1d
| stats count by ctime
| fieldformat ctime=strftime(ctime,"%x %X")
BTW, you can get Splunk to use the ctime of the event - and you probably should. It will make a lot of the reports easier and more sensible. Here is how do that:
props.conf
[sourcetypeOfData]
MAX_TIMESTAMP_LOOKAHEAD = 11
TIME_FORMAT = %s
This props.conf goes on the indexer(s), or wherever the data is being parsed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do it like this
index="foo"
| bucket ctime span=1d
| stats dc(ctime) as numberofuniquedays
If you want to check that this makes sense, try
index="foo"
| bucket ctime span=1d
| stats count by ctime
| fieldformat ctime=strftime(ctime,"%x %X")
BTW, you can get Splunk to use the ctime of the event - and you probably should. It will make a lot of the reports easier and more sensible. Here is how do that:
props.conf
[sourcetypeOfData]
MAX_TIMESTAMP_LOOKAHEAD = 11
TIME_FORMAT = %s
This props.conf goes on the indexer(s), or wherever the data is being parsed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks a lot, you steered me to the correct path.
it didn't work exactly as i wanted so what i did is:
index="foo" |
convert ctime(bar) as Time timeformat=%m/%d/%y |
bucket Time span=1d |
stats dc(Time) as numberofuniquedays
Thanks again!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
