Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I group counts by time ranges in a row?

OliverG91
Explorer
‎01-30-2021 12:01 PM

For a certain time range, I want to group together the counts in a single row, divided into equal time slices.
For example, for  "-15m" I want see 5-minute counts something like this:

index Last15MinCount Last10MinCount Last5MinCount
APP1     100                      123                               345
APP2    32                          55                                   60

The idea is for me to compare the Last5MinCount to the Avg of Last15MinCount and Last10MinCount. I could not find a suitable way of simplifying my query, but I got this instead (note: times shd have 'at'm; this forum links 'at' to members):

index=* earliest=-15m
| rex field=message "(?i)(?<ORG>[C]{0,1}+MS\w*)+(?i)\.(?<ENV>[dev|test|prod]+(-pci){0,1})\.+(?i)(?<APP>[\w-]+)"
| rex field=_raw ".*(?<level>LEVEL)[\s\S]{0,5}(?<code>FATAL|ERROR|WARN|DEBUG|INFO).*"
| eval time15=relative_time(now(), "-15m")
| eval time10=relative_time(now(), "-10m")
| eval time05=relative_time(now(), "-05m")
| eval time00=relative_time(now(), "-00m")
| eval etime=_time
| eval Time=case(tonumber(etime)>tonumber(time15) AND tonumber(etime) <= tonumber(time10), "Last15",
tonumber(etime)>tonumber(time10) AND tonumber(etime) <= tonumber(time05), "Last10",
tonumber(etime)>tonumber(time05) AND tonumber(etime) <= tonumber(time00), "Last05")
| stats count(eval(Time=="Last15E")) AS Last15
count(eval(Time=="Last10E")) AS Last10
count(eval(Time=="Last05E")) AS Last05
by APP

This gives me the desired rows. My question is about these lines:

| eval time15=relative_time(now(), "-15m")
| eval Time=case(tonumber(etime)>tonumber(time15) AND tonumber(etime) <= tonumber(time10), "Last15"
and
| stats count(eval(Time=="Last15E")) AS Last15
can probably be combined into one line, but I could not find the most apropriate function.

Any help in simplifying this would be appreciated. Thanks!

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tread_splunk
Splunk Employee
Splunk Employee
‎01-31-2021 01:06 PM 
index=_internal 
| timechart count span=5m by sourcetype partial=f limit=0 
| streamstats count 
| eval timespan=case(count==1,"1.Last15MinCount",count==2,"2.Last10MinCount",count==3,"3.Last5MinCount") 
| table timespan,* 
| untable timespan,sourcetype,count 
| xyseries sourcetype,timespan,count

Is this along the right lines?  Run this query over the last 20minutes.  "partial=f" is useful on the timechart to suppress the first and last partial time bins.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎01-31-2021 01:14 PM

I'm assuming you want Last15MinCount to be the number of events that arrived between 15 and 10mins ago, Last10MinCount to be the number of events that arrived between 10 and 5 mins ago, and Last5MinCount is self-explanatory.  Looks that way from your example.

0 Karma
Reply
Solved! Jump to solution
Solution

tread_splunk
Splunk Employee
Splunk Employee
‎01-31-2021 01:06 PM 
index=_internal 
| timechart count span=5m by sourcetype partial=f limit=0 
| streamstats count 
| eval timespan=case(count==1,"1.Last15MinCount",count==2,"2.Last10MinCount",count==3,"3.Last5MinCount") 
| table timespan,* 
| untable timespan,sourcetype,count 
| xyseries sourcetype,timespan,count

Is this along the right lines?  Run this query over the last 20minutes.  "partial=f" is useful on the timechart to suppress the first and last partial time bins.

0 Karma
Reply
Solved! Jump to solution

OliverG91
Explorer
‎02-01-2021 10:36 AM

Yes, the Last15Mincount is the count bet 10-15min.

This definitely makes it a lot simpler, thank you very much!

0 Karma
Reply
Solved! Jump to solution

OliverG91
Explorer
‎01-30-2021 12:04 PM

PS. I have some typos on the variable names, and the "| rex" lines are not relevant to the question. Please ignore those.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...