Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I split Splunk query into time ranges?

coreytoast
Explorer
‎09-04-2022 01:55 PM

Hi Everyone,

If I am searching through the past 4 weeks in one query, how can I break this data into two columns, one for previous 2 weeks, and one for latest 2 weeks, then sort by Latest 2 weeks?

In general, im using stats to display the amount of objects affected by errors occurring  in a 4 week period but would like to see them displayed in two 2 week periods, sorted by the amount in the latest 2 weeks.

| stats dc(objects) as OBJ by errorMessage

| span -OBJ

 

CURRENT OUTPUT

 

ERROR MESSAGE OBJ
message 1 1792
message 2 1210
message 3 957

 

 

DESIRED OUTPUT

ERROR MESSAGE LATEST 2 WEEKS PREVIOUS 2 WEEKS
message 1 967 825
message 2 872 666
message 3 103 854

 

Thanks all,

Corey

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

Tags (1)
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-13-2022 07:02 AM

This worked perfectly, thank you so much

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2022 06:57 AM

You can also look into the | timewrap command.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2022 04:55 PM

Please tell us more about the use case?  What kind of data?  What should the output look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 02:58 AM

updated question

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2022 06:18 AM

Use eval to break the results into 2-week periods then have stats group the results by period.

| eval period=if(_time>=relative_time(now(), "-2w"), "LATEST 2 WEEKS", "PREVIOUS 2 WEEKS")
| stats dc(objects) as OBJ by errorMessage, period
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2022 04:54 PM

Basic way to split by _time is to use either

... search ...
| timechart span=2w

or to use an aggregation command splitting by time where you define the window, like this

... search ...
| bin _time span=2w
| stats .... by _time

depending on what you want your output to be will dictate what fits your use case

0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 03:05 AM

I have updated my question to give more context

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...