Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I group and identify a set of events based on a time range?

hans
Splunk Employee
Splunk Employee
‎01-15-2010 06:16 PM

Let say I have events coming in everyday and I want to group the events as Monday's events, Tuesday's events, and so on. How do I do that?

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-15-2010 07:29 PM

If the incoming events have time stamps already on them, or the time stamp is in the file name, you can configure Splunk to parse the time stamp and apply it to the events. Many time formats will be automatically recognized, or you can specify one explicity with settings available in props.conf.

When you view them, you can ask for any time range of events, or use reporting commands to group them by any span of time, e.g. sourcetype=mydate earliest=-60d latest=-1d | timechart span=1d count

If the events are not stamped with a time, and you want to indicate their time using the current time, you can configure Splunk to stamp them the current time by using

DATETIME_CONFIG = CURRENT

for the incoming data's sourcetype (or source or host) in props.conf

View solution in original post

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎01-29-2010 07:21 PM

Also, Splunk provides default datetime fields to aid in time-based grouping/searching. These fields are available on any event:

  • date_second
  • date_minute
  • date_hour
  • date_mday (the day of the month)
  • date_wday (the day of the week)
  • date_month
  • date_year

To group events by day of the week, let's say for Monday, use date_wday=monday. If grouping by day of the week in a chart try:

... | timechart span=1d count by date_wday

More details and examples are available here: http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Usedefaultfields#Default_datetime_fields

Happy dating! 😉

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-15-2010 07:29 PM

If the incoming events have time stamps already on them, or the time stamp is in the file name, you can configure Splunk to parse the time stamp and apply it to the events. Many time formats will be automatically recognized, or you can specify one explicity with settings available in props.conf.

When you view them, you can ask for any time range of events, or use reporting commands to group them by any span of time, e.g. sourcetype=mydate earliest=-60d latest=-1d | timechart span=1d count

If the events are not stamped with a time, and you want to indicate their time using the current time, you can configure Splunk to stamp them the current time by using

DATETIME_CONFIG = CURRENT

for the incoming data's sourcetype (or source or host) in props.conf

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...