Splunk Search

How to count events from 5 pm today to 5 am the next day?

auaave
Communicator

Hi Guys,

Our operations changed their schedule from 5 pm to 5 am. How can I count events from these times daily?

I tried this with last 24 hours but it doesn't work.

| eval hour=strftime(_time, "%H")
| search hour>=6
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Thanks!

0 Karma
1 Solution

DalJeanis
Legend

Your test for hour>6 will get 7 am to just less than 12 midnight.

You could change that to (hour<6 OR hour>15), but there is a much better option.

Try this ...

 | bin _time span=1h
 | stats count as PalletQuantity by _time 

Now you have your Pallet Quantities for every hour of every day. To get 5 pm to 5 am, we can either do a complicated comparison, or we can add 7 hours and do a simple one. (Guess which one I prefer?)

 | rename COMMENT as "add 7 hours in a junk field, throw away any full days, then keep only hours that are less than noon"  
 | eval killtime =  (_time+7*3600) % 86400
 | where killtime <  43200

We've already spanned it at the hour level, so timechart has very little to do here.

| timechart span=1h sum(PalletQuantity) as PalletQuantity

The above logic will work exactly the same if you bin the data at the 1m, 5m, 10m or 15m level, which would allow some level of zooming. You should do that if your operational data is accurate at a higher resolution.


Note - Please get out of the habit of using spaces inside field names. Replace your spaces with underscores or use CamelCase, and you will save yourself loads of headaches. If for organizational reasons you cannot present information this way, then do your field renaming at the very end, after all calculations are complete.

View solution in original post

auaave
Communicator

Thank you @DalJeanis!! This is great! 🙂

0 Karma

DalJeanis
Legend

Your test for hour>6 will get 7 am to just less than 12 midnight.

You could change that to (hour<6 OR hour>15), but there is a much better option.

Try this ...

 | bin _time span=1h
 | stats count as PalletQuantity by _time 

Now you have your Pallet Quantities for every hour of every day. To get 5 pm to 5 am, we can either do a complicated comparison, or we can add 7 hours and do a simple one. (Guess which one I prefer?)

 | rename COMMENT as "add 7 hours in a junk field, throw away any full days, then keep only hours that are less than noon"  
 | eval killtime =  (_time+7*3600) % 86400
 | where killtime <  43200

We've already spanned it at the hour level, so timechart has very little to do here.

| timechart span=1h sum(PalletQuantity) as PalletQuantity

The above logic will work exactly the same if you bin the data at the 1m, 5m, 10m or 15m level, which would allow some level of zooming. You should do that if your operational data is accurate at a higher resolution.


Note - Please get out of the habit of using spaces inside field names. Replace your spaces with underscores or use CamelCase, and you will save yourself loads of headaches. If for organizational reasons you cannot present information this way, then do your field renaming at the very end, after all calculations are complete.

harishalipaka
Motivator

convert your date field to epoch than add index=_internal earliest=1510101000 latest= 1510129800
ealist=from 5 pm epochs
latest=to 5 AM epoc

Thanks
Harish

auaave
Communicator

Thanks a lot! 🙂
This works too!

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...