Solved: How to Sum of count of data received twice per day...

vdalvi · ‎08-13-2020

Hi,

Below is my search query:

index=abc host=xyz source=abcdef
| rename size AS RootObject.size topicName AS RootObject.topicName
| fields "_time" "host" "source" "sourcetype" "RootObject.size" "RootObject.topicName"
| eval "RootObject.topicName"='RootObject.topicName', _time='_time'
| timechart dedup_splitvals=t limit=100 useother=t sum(RootObject.size) AS "Sum of size" span=1d by RootObject.topicName usenull=f
| sort limit=0 _time
| fields _time properties.dta properties.mta

Search Result:

_time properties.dta properties.mta

2020-08-07 00:00 | 2149528 | 25167867
2020-08-07 04:00 | 151400 | 1522424
2020-08-08 00:00 | 2299209 | 24934163
2020-08-08 04:00 | | 1769140

As seen above I get data at 12.00 am and 4.00 am; How can i combine i.e (sum) single days data in just one row? Pleas

to4kawa · ‎08-13-2020

add

| eval date=strftime(_time,"%F")
| stats sum(*) as * by date

View solution in original post

to4kawa · ‎08-13-2020

add

| eval date=strftime(_time,"%F")
| stats sum(*) as * by date

vdalvi · ‎08-17-2020

@to4kawa thank you!! exactly what I was looking for 🙂

How to Sum of count of data received twice per day for last 30 days.

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms