Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I aggregate events using 2 different timestamps?

magenta
New Member
‎04-11-2016 10:06 AM

I am looking to "segment" operational changes(events) based on both the CLOSEDDATE & OPENDATE and essentially calculate the total number of changes in the month of March based on CLOSEDATE into one column and then OPENDATE for another column

I have created a stats table based on OPENDATE where I segment the events into different time buckets:

| eval _time=strptime(OPENDATETIME,"%Y-%m-%d %H:%M:%S")

Can I run a stats command on the events indexed using OPENDATE and then use appendcols to filter events that occurred in the last month using CLOSEDDATE?

Or is there a better way to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2016 12:11 PM

I would try like this

your base search | eval OpenMonth=strftime(strptime(OPENDATETIME,"%Y-%m-%d %H:%M:%S") ,"%Y-%m") | eval ClosedMonth=strftime(strptime(CLOSEDATETIME,"%Y-%m-%d %H:%M:%S") ,"%Y-%m") | eval OpenedInMarch=if(OpenMonth="2016-03",1,0) | eval ClosedInMarch=if(ClosedMonth="2016-03",1,0) | stats sum(OpenedInMarch) as OpenedInMarch sum(ClosedInMarch) as ClosedInMarch
0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2016 10:53 PM

Ignore any feelings about implementation approaches: What exactly are you trying to do? Show sample events, and desired output.

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2016 12:12 PM

Do both CLOSEDATE and OPENDATE field appear on the same event?? Are you looking for how many new changes opened in March and how many closed in March?

0 Karma
Reply

sundareshr
Legend
‎04-11-2016 11:52 AM

Assuming you events will have either the OPENDATETIME OR CLOSEDDATETIME, you could do 

index=* | eval openmonth=strftime(OPENDATETIME, "%m") | eval closedmonth=strftime(OPENDATETIME, "%m") | where openmonth="04" OR closedmonth="04" | stats count(OPENDATETIME) as open count(CLOSEDDATETIME) as closed
0 Karma
Reply

magenta
New Member
‎04-12-2016 10:34 AM

Each event has both OPENDATETIME & CLOSEDDATETIME so i'm looking to actually create a table by business process that includes the following fields:
1) changes opened in march (based on opendate)
2) changes opened in march leading to errors (based on opendate)
2) changes opened in march (based on closeddate)

All shown by Business process - so the question is can i use STATS to count by OPENDATE (using _time=OPENDATETIME) and then index by CLOSEDDATETIME and count again?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...