Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Grouping _time

tahasefiani
Explorer
‎03-12-2020 03:40 AM

Hello,

I have this query 

| loadjob savedsearch="myquery"
  | where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
  | bucket _time span=1d
  |stats min(_time) as _time by MESSAGE
  |where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"

Now i want to count the MESSAGE by _time

This is what i have as result

alt text

And this is what i want

alt text

Thanks for help

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 03:51 AM

use stats count:

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
|stats min(_time) as _time by MESSAGE
|where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"
| stats count by _time
0 Karma
Reply

tahasefiani
Explorer
‎03-12-2020 06:22 AM

@manjunathmeti the problème is that i can't do my join on _time. DO you have a solution to that?

0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 06:29 AM

Convert _time.

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
| stats min(_time) as _time by MESSAGE
| where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"
| eval time=strftime(_time, "%d/%m/%Y")
| stats count by time
0 Karma
Reply

tahasefiani
Explorer
‎03-12-2020 09:30 AM

@manjunathmeti junathm it's does't work as a timechart

0 Karma
Reply

manjunathmeti
Champion
‎03-13-2020 09:17 AM

can you comment your whole search query?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...