Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help group by second level using _time function

dhavamanis
Builder
‎11-07-2014 12:27 PM

We have the logs with milliseconds, but when use _time function and its not giving the second level grouped results, Can you please help us to group the results upto seconds.

Query :

index="idxweblog" source="/var/log/idx/api.log" "/member/login"  | stats count as individual_event by _time

Output :

2014-10-31 16:38:55     1
2014-10-31 16:39:23     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21     1
2014-10-31 17:02:21    1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dhavamanis
Builder
‎12-10-2014 01:24 PM

After adding time format and we got the required output.

index="idxweblog" source="/var/log/idx/api.log" "/member/login" "API_KEY=c6e823fff8b14405a04408162bbe6e11" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time | stats count as individual_event by c_time | stats sum(individual_event) as total_sec by c_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dhavamanis
Builder
‎12-10-2014 01:24 PM

After adding time format and we got the required output.

index="idxweblog" source="/var/log/idx/api.log" "/member/login" "API_KEY=c6e823fff8b14405a04408162bbe6e11" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time | stats count as individual_event by c_time | stats sum(individual_event) as total_sec by c_time

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2014 03:04 PM

_time is not a function, it's a field. It contains the unix epoch timestamp for that particular event.

timechart is a search command, and most likely what you want. http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/timechart

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2014 12:37 PM

By default the _time column doesn't render milliseconds. You can see that by appending this:

... | eval mytime = strftime(_time, "%F %T.%3N")

Go with timechart though.

0 Karma
Reply
Solved! Jump to solution

dhavamanis
Builder
‎11-07-2014 01:07 PM

seems the below one working fine,

index="idxweblog" source="/var/log/idx/api.log" "/member/login" "API_KEY=c6e823fff8b14405a04408162bbe6e11" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time | stats count as individual_event by c_time | stats sum(individual_event) as total_sec by c_time

expected Output :

2014-10-31 16:38:55 1
2014-10-31 16:39:23 1
2014-10-31 17:02:21 7

but we would like to know the difference between _time and timechart. seems timechart also using the _time function at back end. when we do " timechart span=1s count" not giving the correct results.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-07-2014 12:34 PM

What is the expected output?

try this as well

index="idxweblog" source="/var/log/idx/api.log" "/member/login"  | timechart span=1s count as individual_event
0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...