Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

First event

tahasefiani
Explorer
‎03-06-2020 12:31 AM

Hello, this is my query 

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
|table _time,MESSAGE
|where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"

And this is the result

alt text

What i want is only the lines on yellow:
If I have a message on the 26th, 27th and 28th I must have that of 26

Preview file
59 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎03-06-2020 07:48 AM

Try this:

| loadjob savedsearch="myquery"
| rename COMMENT AS "Use timepicker to filter dates"
| addinfo
| rename COMMENT AS "First problem here: you used 'and' instead of 'AND'"
| where (_time >= info_min_time) AND (_time <= info_max_time)  AND STEP=="Click"
| bucket _time span=1d
| sort 0 - _time
| streamstats count AS _serial BY MESSAGE _time
| where _serial="1"

Or maybe even this:

| loadjob savedsearch="myquery"
| rename COMMENT AS "Use timepicker to filter dates"
| addinfo
| rename COMMENT AS "First problem here: you used 'and' instead of 'AND'"
| where (_time >= info_min_time) AND (_time <= info_max_time)  AND STEP=="Click"
| timechart span=1d first(_time) AS time BY MESSAGE
0 Karma
Reply

tahasefiani
Explorer
‎03-09-2020 01:36 AM

this query works for me 

 | loadjob savedsearch="myquery"
 | where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
 | bucket _time span=1d
 | stats earliest(_time) as _time by ID_MESSAGE
 | eval _time=strftime(_time, "%Y-%m-%d")

And this is the result :

_time ID_MESSAGE
27/02 YHDD
27/02 MFJIO
27/02 LKCFD
28/02 LMDFF

Now i wanna count ID_MESSAGE by _time to have this :

_time count(ID_MESSAGE)
27/02 3
28/02 1

0 Karma
Reply

tahasefiani
Explorer
‎03-06-2020 05:29 AM

@to4kawa @manjunathmeti for the two solution, i can't use after a timechart? 

dc(ID_MESSAGE) by _time

OR

timechart dc(ID_MESSAGE)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-06-2020 06:23 AM

timechart ? 

....
| bucket _time span=1d
| table _time,MESSAGE

is same of timechart result.

but where does dc() come from?
your question First event doesn't need dc() and timechart .

0 Karma
Reply

tahasefiani
Explorer
‎03-06-2020 06:49 AM

the purpose of the query, at the base is to calculate the messages per day, and count the message only on the first day.This why i did this query.

Now, i have 3 ID_MESSAGE for 27/02 and one for 28/02

This is what i want :

27/02 => 3
28/02 => 1

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
| stats earliest(_time) as _time by ID_MESSAGE
| eval _time=strftime(_time, "%Y-%m-%d") 
|timechart count(ID_MESSAGE)
0 Karma
Reply

manjunathmeti
Champion
‎03-06-2020 02:45 AM

hi @tahasefiani,

Try this:

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
| stats earliest(_time) as time by MESSAGE 
| eval time=strftime(time, "%Y-%m-%d") 
| where IN(MESSAGE, "337668c2-162c-4f4f-bda9-92f7816f2752", "46095117-4dcb-4ebc-9906-8c23f1a1a26b", "60eb62a4-c54a-4fc0-9aaa-17726ff62929", "8b5e055c-17ab-4135-8b90-1fbc65032792")
Reply

to4kawa
Ultra Champion
‎03-06-2020 03:55 AM

Hi, @manjunathmeti
I like min() to epoch. your IN usage is cool.

0 Karma
Reply

tahasefiani
Explorer
‎03-06-2020 05:21 AM

I have an old version,so i can't use IN

0 Karma
Reply

wmyersas
Builder
‎03-06-2020 06:02 AM

How old? IN has worked since at least 6.3

0 Karma
Reply

to4kawa
Ultra Champion
‎03-06-2020 02:41 AM 
| loadjob savedsearch="myquery"
 | where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
 | bucket _time span=1d
 |stats min(_time) as _time by MESSAGE
 |where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...