Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Displaying the count of events over varying time spans

bruceclarke
Contributor
‎06-18-2014 10:18 AM

All,

I want to create a search that will return the count of events over the last 5 minutes, 30 minutes, hour, 6 hours, and day. I was able to develop a search that nearly gets me there, but the rows and columns are reversed.

Unfortunately, the "transpose" command doesn't quite work, since it messes up the column names and I can't easily replace them.

The search I have so far is below. Does anyone know how I can achieve this? Maybe my search needs to be changed completely. Not sure.

<mySearch>
| eval span1=if(_time>relative_time(now(),"-5m"),1,0)
| eval span2=if(_time>relative_time(now(),"-30m"),1,0)
| eval span3=if(_time>relative_time(now(),"-60m"),1,0)
| eval span4=if(_time>relative_time(now(),"-360m"),1,0)
| eval span5=if(_time>relative_time(now(),"-1d@d"),1,0)
| chart sum(span1) as Last5Mins, sum(span2) as Last30Mins, sum(span3) as LastHr, sum(span4) as Last6Hrs, sum(span5) as Today by instance
| transpose 50

So, I want the columns to be all the values for instance and the rows to be Last5Mins, Last30Mins, etc.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-18-2014 11:26 AM

Give this a try

<mySearch>
| eval span1=if(_time>relative_time(now(),"-5m"),1,0)
| eval span2=if(_time>relative_time(now(),"-30m"),1,0)
| eval span3=if(_time>relative_time(now(),"-60m"),1,0)
| eval span4=if(_time>relative_time(now(),"-360m"),1,0)
| eval span5=if(_time>relative_time(now(),"-1d@d"),1,0)
| chart sum(span1) as Last5Mins, sum(span2) as Last30Mins, sum(span3) as LastHr, sum(span4) as Last6Hrs, sum(span5) as Today by instance
| untable instance metrics count | chart max(count) as count over metrics by instance

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-18-2014 11:26 AM

Give this a try

<mySearch>
| eval span1=if(_time>relative_time(now(),"-5m"),1,0)
| eval span2=if(_time>relative_time(now(),"-30m"),1,0)
| eval span3=if(_time>relative_time(now(),"-60m"),1,0)
| eval span4=if(_time>relative_time(now(),"-360m"),1,0)
| eval span5=if(_time>relative_time(now(),"-1d@d"),1,0)
| chart sum(span1) as Last5Mins, sum(span2) as Last30Mins, sum(span3) as LastHr, sum(span4) as Last6Hrs, sum(span5) as Today by instance
| untable instance metrics count | chart max(count) as count over metrics by instance
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-18-2014 12:08 PM

Just learned this command 2 days back 😉
Another benefit of splunk answers, continuous learning.

Reply
Solved! Jump to solution

bruceclarke
Contributor
‎06-18-2014 11:40 AM

This is exactly what I wanted. I didn't know of the "untable" command. Thanks!

0 Karma
Reply
Solved! Jump to solution

alterdego
Path Finder
‎06-18-2014 11:16 AM

Have you looked at appendcols?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...