Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I aggregate events using 2 different timestamps?

magenta
New Member
‎04-11-2016 10:06 AM

I am looking to "segment" operational changes(events) based on both the CLOSEDDATE & OPENDATE and essentially calculate the total number of changes in the month of March based on CLOSEDATE into one column and then OPENDATE for another column

I have created a stats table based on OPENDATE where I segment the events into different time buckets:

| eval _time=strptime(OPENDATETIME,"%Y-%m-%d %H:%M:%S")

Can I run a stats command on the events indexed using OPENDATE and then use appendcols to filter events that occurred in the last month using CLOSEDDATE?

Or is there a better way to do this?

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2016 12:11 PM

I would try like this

your base search | eval OpenMonth=strftime(strptime(OPENDATETIME,"%Y-%m-%d %H:%M:%S") ,"%Y-%m") | eval ClosedMonth=strftime(strptime(CLOSEDATETIME,"%Y-%m-%d %H:%M:%S") ,"%Y-%m") | eval OpenedInMarch=if(OpenMonth="2016-03",1,0) | eval ClosedInMarch=if(ClosedMonth="2016-03",1,0) | stats sum(OpenedInMarch) as OpenedInMarch sum(ClosedInMarch) as ClosedInMarch
0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2016 10:53 PM

Ignore any feelings about implementation approaches: What exactly are you trying to do? Show sample events, and desired output.

0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2016 12:12 PM

Do both CLOSEDATE and OPENDATE field appear on the same event?? Are you looking for how many new changes opened in March and how many closed in March?

0 Karma
Reply

sundareshr
Legend
‎04-11-2016 11:52 AM

Assuming you events will have either the OPENDATETIME OR CLOSEDDATETIME, you could do 

index=* | eval openmonth=strftime(OPENDATETIME, "%m") | eval closedmonth=strftime(OPENDATETIME, "%m") | where openmonth="04" OR closedmonth="04" | stats count(OPENDATETIME) as open count(CLOSEDDATETIME) as closed
0 Karma
Reply

magenta
New Member
‎04-12-2016 10:34 AM

Each event has both OPENDATETIME & CLOSEDDATETIME so i'm looking to actually create a table by business process that includes the following fields:
1) changes opened in march (based on opendate)
2) changes opened in march leading to errors (based on opendate)
2) changes opened in march (based on closeddate)

All shown by Business process - so the question is can i use STATS to count by OPENDATE (using _time=OPENDATETIME) and then index by CLOSEDDATETIME and count again?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...