Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Grouping _time

tahasefiani
Explorer
‎03-12-2020 03:40 AM

Hello,

I have this query 

| loadjob savedsearch="myquery"
  | where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
  | bucket _time span=1d
  |stats min(_time) as _time by MESSAGE
  |where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"

Now i want to count the MESSAGE by _time

This is what i have as result

alt text

And this is what i want

alt text

Thanks for help

Preview file
2 KB
Preview file
10 KB
0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 03:51 AM

use stats count:

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
|stats min(_time) as _time by MESSAGE
|where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"
| stats count by _time
0 Karma
Reply

tahasefiani
Explorer
‎03-12-2020 06:22 AM

@manjunathmeti the problème is that i can't do my join on _time. DO you have a solution to that?

0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 06:29 AM

Convert _time.

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-26") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") and STEP=="Click"
| bucket _time span=1d
| stats min(_time) as _time by MESSAGE
| where MESSAGE = "337668c2-162c-4f4f-bda9-92f7816f2752" OR MESSAGE = "46095117-4dcb-4ebc-9906-8c23f1a1a26b" OR MESSAGE = "60eb62a4-c54a-4fc0-9aaa-17726ff62929" OR MESSAGE = "8b5e055c-17ab-4135-8b90-1fbc65032792"
| eval time=strftime(_time, "%d/%m/%Y")
| stats count by time
0 Karma
Reply

tahasefiani
Explorer
‎03-12-2020 09:30 AM

@manjunathmeti junathm it's does't work as a timechart

0 Karma
Reply

manjunathmeti
Champion
‎03-13-2020 09:17 AM

can you comment your whole search query?

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...