Solved: How to convert this SQL query to splunk search

benazir · ‎02-01-2017

Hi ,
I have a sql query ,
Count distinct CHNL where MSG_NUM like 'cma%' group by MSG_TM.
Result should get display in hourly basis,

all the CHNL , MSG_NUM , MSG_TM is the column name , which has values . Kindly need your help to convert it .Result should be in hourly basis.

somesoni2 · ‎02-02-2017

Try something like,

index=foo sourceltype=bar MSG_NUM=cma* 
| bucket span=1h _time
| stats dc(CHNL) as uniq_channels by _time MSG_TM

or

index=foo sourceltype=bar MSG_NUM=cma* 
| timechart span=1h  dc(CHNL)  by MSG_TM

somesoni2 · ‎02-02-2017

Try something like,

index=foo sourceltype=bar MSG_NUM=cma* 
| bucket span=1h _time
| stats dc(CHNL) as uniq_channels by _time MSG_TM

or

index=foo sourceltype=bar MSG_NUM=cma* 
| timechart span=1h  dc(CHNL)  by MSG_TM

benazir · ‎02-05-2017

Thank you so much it works perfect with few modification.

richgalloway · ‎02-02-2017

Is your data already indexed or are you trying to read a SQL database from Splunk? If the former, see http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/SQLtoSplunk. If the latter, check out the Splunk DB Connect app.

---
If this reply helps you, Karma would be appreciated.

How to convert this SQL query to splunk search