Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I merge data with the same values in a table entry?

voninski
New Member
‎07-09-2016 03:58 PM

See the attached picture:

I am looking at a count of data for deliveries from 2 months ago and the previous months. By themselves the queries work perfectly. I am trying to build a barchart where i can show the data together. And am currently using the 'append' command. I have tried appendpipe and appendcols and neither is giving me the right data. This is as close as I have gotten. Unfortunately though i can have multiple 'Times' that are the same for example in the picture you can see that i have entries for both the previous month and 2 months ago for 11:00AM and 11:15AM etc. I would like to have only 1 entry for 11:00AM 11:15AM etc and then have the appropriate count for the '2 months ago' and 'previous month'

The query I am currently using is :
index=security "Mailbox to On" earliest=-2mon@mon latest=-1mon@mon | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "2 Months Ago" |append [search index=security "Mailbox to On" earliest=-1mon@mon latest=@mon | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "Previous Month"] | rename rounded_time_hour_min AS Time | sort Time | fields Time "2 Months Ago" "Previous Month"

alt text

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2016 06:12 AM

You need the timewrap command/app:

https://splunkbase.splunk.com/app/1645/

0 Karma
Reply

voninski
New Member
‎07-10-2016 09:34 AM

TY this looks awesome and i am planning on testing it out. I always forget to check Splunkbase. Always amazed at the functionality out there.

0 Karma
Reply

sundareshr
Legend
‎07-09-2016 05:00 PM

Try this

index=security "Mailbox to On" earliest=-2mon@mon latest=@mon | eval when=if(_time>relative_time(now(), "-1mon@mon"), "Previous Month", "2 Months Ago") | timechart span=15m count by when
0 Karma
Reply

voninski
New Member
‎07-10-2016 09:45 AM

Thank you. This is a cleaner search. But all I care to know is within the timeframe what is the hour&min that was the delivery time and divide them out. I think I can rebuild this with your query to parse out the months. But will still need the basic structure to a) divide things out into the 15 min buckets b) discard everything but the first time the mailbox is opened (the initial delivery) and the stats values(*) as * by Time command which merges all my results together by Time..

My final query is :

index=security "Mailbox to On" earliest=-2mon@mon latest=-1mon@mon | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "2 Months Ago" |append [search index=security "Mailbox to On" earliest=-1mon@mon latest=@mon | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "Previous Month"] | append [search index=security earliest=@mon latest=now "Mailbox to On" | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "Current Month"] | append [search index=security earliest=-3mon@mon latest=-2mon@mon "Mailbox to On" | eval date=strftime(_time,"%x") | sort _time | dedup date | bin span=15min _time AS rounded_time | eval rounded_time_hour_min=strftime(rounded_time,"%H:%M") | stats count BY rounded_time_hour_min | rename count AS "3 Months Ago"]| rename rounded_time_hour_min AS Time | sort Time |table Time, "Current Month" "Previous Month" "2 Months Ago" "3 Months Ago" | stats values(*) as * by Time | fields Time, "Current Month" "Previous Month" "2 Months Ago" "3 Months Ago"

0 Karma
Reply

voninski
New Member
‎07-10-2016 09:47 AM

wow - astericks dont show up here --- stats values(asterick) as asterick by Time

0 Karma
Reply

woodcock
Esteemed Legend
‎07-10-2016 05:48 PM

Indent your code 4 spaces and lead the code with a blank line.

0 Karma
Reply

sundareshr
Legend
‎07-10-2016 04:08 PM

That should do it as well, since you are using sub searches, you need to aware of the limitations. You can also achieve the 4 slices by using a case statement, instead of if. Like this

... | eval when=case(_time>relative_time(now(), "-1mon@mon"), "Previous Month", _time<relative_time(now(), "-2mon@mon") AND _time>relative_time(now(), "-1mon@mon"), "2 Months Ago", _time<relative_time(now(), "-3mon@mon") AND _time>relative_time(now(), "-2mon@mon"), "3 Months Ago", )  | ...
0 Karma
Reply

rvoninski_splun
Splunk Employee
Splunk Employee
‎07-11-2016 08:34 AM

This is an outstanding idea that is more efficient and helps me to avoid the subsearch limitations. I haven't implemented it yet. But this is definitely a much better way to go. Thank you very much for all of your help.

0 Karma
Reply

voninski
New Member
‎07-09-2016 04:10 PM

I think I just figured this out. I dropped the fields portion and added the following

table Time, "Previous Month" "2 Months Ago" | stats values(*) as * by Time

If anyone has a better idea let me know.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...