Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I split Splunk query into time ranges?

coreytoast
Explorer
‎09-04-2022 01:55 PM

Hi Everyone,

If I am searching through the past 4 weeks in one query, how can I break this data into two columns, one for previous 2 weeks, and one for latest 2 weeks, then sort by Latest 2 weeks?

In general, im using stats to display the amount of objects affected by errors occurring  in a 4 week period but would like to see them displayed in two 2 week periods, sorted by the amount in the latest 2 weeks.

| stats dc(objects) as OBJ by errorMessage

| span -OBJ

 

CURRENT OUTPUT

 

ERROR MESSAGE OBJ
message 1 1792
message 2 1210
message 3 957

 

 

DESIRED OUTPUT

ERROR MESSAGE LATEST 2 WEEKS PREVIOUS 2 WEEKS
message 1 967 825
message 2 872 666
message 3 103 854

 

Thanks all,

Corey

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

Tags (1)
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-13-2022 07:02 AM

This worked perfectly, thank you so much

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2022 06:57 AM

You can also look into the | timewrap command.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2022 04:55 PM

Please tell us more about the use case?  What kind of data?  What should the output look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 02:58 AM

updated question

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2022 06:18 AM

Use eval to break the results into 2-week periods then have stats group the results by period.

| eval period=if(_time>=relative_time(now(), "-2w"), "LATEST 2 WEEKS", "PREVIOUS 2 WEEKS")
| stats dc(objects) as OBJ by errorMessage, period
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2022 04:54 PM

Basic way to split by _time is to use either

... search ...
| timechart span=2w

or to use an aggregation command splitting by time where you define the window, like this

... search ...
| bin _time span=2w
| stats .... by _time

depending on what you want your output to be will dictate what fits your use case

0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 03:05 AM

I have updated my question to give more context

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top