Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count events from 5 pm today to 5 am the next day?

auaave
Communicator
‎06-11-2018 05:44 AM

Hi Guys,

Our operations changed their schedule from 5 pm to 5 am. How can I count events from these times daily?

I tried this with last 24 hours but it doesn't work.

| eval hour=strftime(_time, "%H")
| search hour>=6
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-11-2018 06:20 AM

Your test for hour>6 will get 7 am to just less than 12 midnight.

You could change that to (hour<6 OR hour>15), but there is a much better option.

Try this ...

 | bin _time span=1h
 | stats count as PalletQuantity by _time

Now you have your Pallet Quantities for every hour of every day. To get 5 pm to 5 am, we can either do a complicated comparison, or we can add 7 hours and do a simple one. (Guess which one I prefer?) 

 | rename COMMENT as "add 7 hours in a junk field, throw away any full days, then keep only hours that are less than noon"  
 | eval killtime =  (_time+7*3600) % 86400
 | where killtime <  43200

We've already spanned it at the hour level, so timechart has very little to do here.

| timechart span=1h sum(PalletQuantity) as PalletQuantity

The above logic will work exactly the same if you bin the data at the 1m, 5m, 10m or 15m level, which would allow some level of zooming. You should do that if your operational data is accurate at a higher resolution.

Note - Please get out of the habit of using spaces inside field names. Replace your spaces with underscores or use CamelCase, and you will save yourself loads of headaches. If for organizational reasons you cannot present information this way, then do your field renaming at the very end, after all calculations are complete.

View solution in original post

Reply
Solved! Jump to solution

auaave
Communicator
‎06-11-2018 07:58 PM

Thank you @DalJeanis!! This is great! 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-11-2018 06:20 AM

Your test for hour>6 will get 7 am to just less than 12 midnight.

You could change that to (hour<6 OR hour>15), but there is a much better option.

Try this ...

 | bin _time span=1h
 | stats count as PalletQuantity by _time

Now you have your Pallet Quantities for every hour of every day. To get 5 pm to 5 am, we can either do a complicated comparison, or we can add 7 hours and do a simple one. (Guess which one I prefer?) 

 | rename COMMENT as "add 7 hours in a junk field, throw away any full days, then keep only hours that are less than noon"  
 | eval killtime =  (_time+7*3600) % 86400
 | where killtime <  43200

We've already spanned it at the hour level, so timechart has very little to do here.

| timechart span=1h sum(PalletQuantity) as PalletQuantity

The above logic will work exactly the same if you bin the data at the 1m, 5m, 10m or 15m level, which would allow some level of zooming. You should do that if your operational data is accurate at a higher resolution.

Note - Please get out of the habit of using spaces inside field names. Replace your spaces with underscores or use CamelCase, and you will save yourself loads of headaches. If for organizational reasons you cannot present information this way, then do your field renaming at the very end, after all calculations are complete.

Reply
Solved! Jump to solution

harishalipaka
Motivator
‎06-11-2018 05:59 AM

convert your date field to epoch than add index=_internal earliest=1510101000 latest= 1510129800
ealist=from 5 pm epochs
latest=to 5 AM epoc

Thanks
Harish
Reply
Solved! Jump to solution

auaave
Communicator
‎06-11-2018 07:59 PM

Thanks a lot! 🙂
This works too!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...