Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I split Splunk query into time ranges?

coreytoast
Explorer
‎09-04-2022 01:55 PM

Hi Everyone,

If I am searching through the past 4 weeks in one query, how can I break this data into two columns, one for previous 2 weeks, and one for latest 2 weeks, then sort by Latest 2 weeks?

In general, im using stats to display the amount of objects affected by errors occurring  in a 4 week period but would like to see them displayed in two 2 week periods, sorted by the amount in the latest 2 weeks.

| stats dc(objects) as OBJ by errorMessage

| span -OBJ

 

CURRENT OUTPUT

 

ERROR MESSAGE OBJ
message 1 1792
message 2 1210
message 3 957

 

 

DESIRED OUTPUT

ERROR MESSAGE LATEST 2 WEEKS PREVIOUS 2 WEEKS
message 1 967 825
message 2 872 666
message 3 103 854

 

Thanks all,

Corey

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2022 04:33 PM

Use something like this

...
| bin _time span=2w@w aligntime=@w
| eval t=if(_time < relative_time(now(), "-2w@w"), "Previous", "Latest")
| chart dc(objects) as OBJ over errorMessage by t
| sort - Latest

bin will segregate time into two week sections. t= will then categorise which period the event fits into, then chart will do your tabling.

 

Tags (1)
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-13-2022 07:02 AM

This worked perfectly, thank you so much

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2022 06:57 AM

You can also look into the | timewrap command.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2022 04:55 PM

Please tell us more about the use case?  What kind of data?  What should the output look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 02:58 AM

updated question

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2022 06:18 AM

Use eval to break the results into 2-week periods then have stats group the results by period.

| eval period=if(_time>=relative_time(now(), "-2w"), "LATEST 2 WEEKS", "PREVIOUS 2 WEEKS")
| stats dc(objects) as OBJ by errorMessage, period
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2022 04:54 PM

Basic way to split by _time is to use either

... search ...
| timechart span=2w

or to use an aggregation command splitting by time where you define the window, like this

... search ...
| bin _time span=2w
| stats .... by _time

depending on what you want your output to be will dictate what fits your use case

0 Karma
Reply
Solved! Jump to solution

coreytoast
Explorer
‎09-06-2022 03:05 AM

I have updated my question to give more context

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...