Solved: Re: How to count the number of eventts starting at...

auaave · ‎01-03-2018

Hi Guys,

I have the below query using that is using the shared timepicker: today, which is counting the events from 00:00 to 23:59.
How can I make it to start count the events from 9:00 to 23:59?

| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Thanks a lot!

mayurr98 · ‎01-03-2018

hey try this

your_base_Search earliest=@d+9h latest=now 
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

let me know if this helps you!

View solution in original post

auaave · ‎01-03-2018

@ mayurr98 Great! Thanks! It worked! 🙂

mayurr98 · ‎01-03-2018

you are welcome,
accept and upvote if it works for you!

mayurr98 · ‎01-03-2018

hey try this

your_base_Search earliest=@d+9h latest=now 
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

let me know if this helps you!

micahkemp · ‎01-03-2018

I'm not sure your search in the example makes sense as-is, but perhaps that's due to it being altered for the question. Assuming it's valid, and you want to only include hours after 9am, try this:

<your search> date_hour>=9
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Splunk parses out the timestamp components (date_month, date_mday, date_hour, etc) for each event, so these fields are available to be a part of your base search.

auaave · ‎01-03-2018

Thanks @micahkemp

How to count the number of eventts starting at 9 am each day?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services