Solved: How to Sum of count of data received twice per day...

vdalvi · ‎08-13-2020

Hi,

Below is my search query:

index=abc host=xyz source=abcdef
| rename size AS RootObject.size topicName AS RootObject.topicName
| fields "_time" "host" "source" "sourcetype" "RootObject.size" "RootObject.topicName"
| eval "RootObject.topicName"='RootObject.topicName', _time='_time'
| timechart dedup_splitvals=t limit=100 useother=t sum(RootObject.size) AS "Sum of size" span=1d by RootObject.topicName usenull=f
| sort limit=0 _time
| fields _time properties.dta properties.mta

Search Result:

_time properties.dta properties.mta

2020-08-07 00:00 | 2149528 | 25167867
2020-08-07 04:00 | 151400 | 1522424
2020-08-08 00:00 | 2299209 | 24934163
2020-08-08 04:00 | | 1769140

As seen above I get data at 12.00 am and 4.00 am; How can i combine i.e (sum) single days data in just one row? Pleas

to4kawa · ‎08-13-2020

add

| eval date=strftime(_time,"%F")
| stats sum(*) as * by date

View solution in original post

to4kawa · ‎08-13-2020

add

| eval date=strftime(_time,"%F")
| stats sum(*) as * by date

vdalvi · ‎08-17-2020

@to4kawa thank you!! exactly what I was looking for 🙂

How to Sum of count of data received twice per day for last 30 days.

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to Sum of count of data received twice per day for last 30 days.

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!