Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the total count of occurances of a timestamp ?

naveenalagu
Explorer
‎02-01-2023 05:47 PM

Basically I have a set of raw data with different time stamp in CCYYMMDDHHMMSS format. I want to list out the stats which shows how many occurrences of CCYY then MM then DD . I am able to use STRFTIME to get the segregate the data into desired format as year month and day.
My expected result output is

YearYear CountMonthMonth CountDayDayCount
202210002022-112502022-11-2720
2023102022-121002022-11-125
    2022-11-2735

I used the below

|stats count as total by year, month day

But the actual output is not as expected

YearYear CountMonthMonth CountDayDayCount
2022202022-11202022-11-2720
202252022-1252022-11-125
2022352022-27352022-11-2735

 

Should be simple enough, just not for me. Please help.

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 04:36 AM 
<yoursearch>
| stats count as DayCount by Day
| appendcols 
    [<yoursearchagain>
| stats count as MonthCount by Month]
| appendcols
    [<yoursearchagain>
| stats count as YearCount by Year]

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-02-2023 02:25 AM

Alternatively, if eventstats gets slow because there are too many events, you can stats as the first command.

| stats count as "Day Count" by year, month day ``` reduces rows to number of days in all events ```
| eventstats sum('Day Count') as "Month Count" by year month
| eventstats sum('Month Count') as "Year Count" by year

Just to point out: the desired output your illustrated is not "occurrences of CCYY then MM then DD," but occurrences of CCYY, then CCYYMM, then CCYYMMDD.  Additionally, 2022-27 is not a very good illustration of Month.

0 Karma
Reply
Solved! Jump to solution

naveenalagu
Explorer
‎02-02-2023 02:54 AM

Just to point out: the desired output your illustrated is not "occurrences of CCYY then MM then DD," but occurrences of CCYY, then CCYYMM, then CCYYMMDD.  

This is correct. I would have to further drill down to HH MM SS as well, which would be CCYYMMHHMMSS.  Thanks for the info.

 Additionally, 2022-27 is not a very good illustration of Month.

Apologies for this. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 12:14 AM 
| stats count as DayCount by Year Month Day
| eventstats sum(DayCount) as MonthCount by Year Month
| eventstats sum(DayCount) as YearCount by Year
Tags (1)
Reply
Solved! Jump to solution

naveenalagu
Explorer
‎02-02-2023 02:58 AM

Thanks a lot for this.
However, the Table comes out with repeated values for Year and Month.

naveenalagu_0-1675335375095.png

 DEDUP seems to remove entries of other Columns as well. Is there any way to remove those duplicates?

Thanks in advance!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 04:36 AM 
<yoursearch>
| stats count as DayCount by Day
| appendcols 
    [<yoursearchagain>
| stats count as MonthCount by Month]
| appendcols
    [<yoursearchagain>
| stats count as YearCount by Year]
Reply
Solved! Jump to solution

naveenalagu
Explorer
‎02-02-2023 07:45 AM

Thanks! That did the trick.🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...