Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count the number of events within a dynamic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mspoerr
Path Finder
10-13-2015
02:26 PM
Hello,
I have logs with the following fields:
StartTime (which is used as _time)
Duration (in seconds)
The goal now is to count the number of events in the same timerange (_time + duration)
i.e.:
StartTime | Duration | EventNr
7/2/2015 8:45:00 AM | 3600 | 1
7/2/2015 8:50:00 AM | 600 | 2
7/2/2015 8:55:00 AM | 600 | 3
7/2/2015 9:10:00 AM | 1200 | 4
7/2/2015 10:00:00 AM | 1200 | 5
Range for Event #1 is from 8:45 to 9:45 -> 4 events in this timerange
Range for Event #2 is from 8:50 to 9:00 -> 2 events
...
Result should be a table:
EventNr | EventCount
1 | 4
2 | 2
...
Thanks,
Mathias
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-14-2015
06:51 AM
You can do this with the concurrency command like this:
... | concurrency duration=Duration output=EventCount
Here is another very "expensive" way to do it but it will work:
... | eval StartTime=_time | eaval EndTime = _time + Duration | map search="search _time>=$StartTime$ AND _time<=$EndTime$ | stats count AS EventCount | eval EventNr=$EventNr$"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
10-14-2015
06:51 AM
You can do this with the concurrency command like this:
... | concurrency duration=Duration output=EventCount
Here is another very "expensive" way to do it but it will work:
... | eval StartTime=_time | eaval EndTime = _time + Duration | map search="search _time>=$StartTime$ AND _time<=$EndTime$ | stats count AS EventCount | eval EventNr=$EventNr$"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
henrysoon
New Member
10-13-2015
11:19 PM
Pls using eventstats calculation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-13-2015
02:56 PM
How many rows that might be processed by the search? How many distinct EventNr can exists?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mspoerr
Path Finder
10-13-2015
09:34 PM
It's a csv with 3000 events and each event has it's distinct EventNr
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
