Splunk Search

How can I calculate the number of errors for the last hour for a period of time and get the min/max in that time span?

New Member

Hi All,
I'm trying to do a simple search on a log based on relative time, i.e. I need to calculate number of errors for last hour for a period of time and get the min/max in that time span.
eg: If I login now at 1:15 AM I should see the results from 00:00 to 1:00 A.M and I need that values for a period of time where I can find the min/max for that period.

So for that the below query which I'm trying is not working.

index=xyz|eval Time1=strftime(relative_time(now(),"-1h")|table Time1|dedup time1|Join Time1[search index =xyz|eval testDate=strftime(_time,"%Y-%m-%d")|eval Time1=strftime(_time,"%H")|stats count(eval(Logstate="Reject") as RejectCount by TestDate Time1]

But the below query doesnt fetch the desired result. So, could anyone help with the above query?

Thanks in advance

0 Karma

SplunkTrust
SplunkTrust

For writing a better search you should filter required results as early in your search as possible. In your case since you are interested only for Rejected events you should include Logstate="Reject" in your base search and just print the count.

index=xyz earliest=-1h@h latest=@h Logstate="Reject"
| stats count as RejectCount min(_time) as EarliestEventTime max(_time) as LatestEventTime
| addinfo
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")
| fieldformat EarliestEventTime=strftime(EarliestEventTime ,"%c")
| fieldformat LatestEventTime=strftime(LatestEventTime,"%c") 
| fields - info_search_time info_sid

PS: All the time fields are added for you to see your search's earliest and latest time (i.e. info_min_time and info_max_time) and also your earliest and latest events (EarliestEventTime,LatestEventTime). You can remove these fields if you don't require or have tested the results as per your need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Champion

i am not sure of the join logic..
but, when you run the 2nd part alone, will it give results?

index=xyz|eval testDate=strftime(_time,"%Y-%m-%d")|eval Time1=strftime(_time,"%H")|stats count(eval(Logstate="Reject") as RejectCount by TestDate Time1| table RejectCount TestDate Time1
0 Karma

Contributor

I assume you intend to create some statistics about the events from the last full hour, e.g. at 09:36, you want all events wich occurred between 08:00 and 08:59.59.999 so, earliest=-1h@h latest=@h will give you just this events. There you may just append your stats function. I don't know if you can have an eval in a count, I had to take the eval out of the count function on some occasions.
If you need the count per full hour for some time, e.g the last day, then my best guess would be to use span.

0 Karma

Contributor
index=xyz earliest=-1h@h latest=@h ...

see Time Modifiers