Solved: How to create Group events based off a time and an...

add53 · ‎01-06-2023

I'm fairly new to Splunk and I am having some trouble grouping somethings they way I want

I have some data which all have a certain ID and a multitude of other values. I want to be able to group this data if they have the same ID, but only group them in a maximum time interval of 24 hours. This I figured out pretty easily, however, the problem is I would also like to see the actual duration of events.

For example, say I have 10 or so events that all have the same ID and they occur within a 5 minute period, I'd want to group them together. I'd also like to be able to group 10 or so events that have the same ID and occur within a 23 hour period.

I've tried using bins, which groups them properly, but then it gives them all the exact same time, so I don't know how to find the exact duration. I've also tried using time charts and transactions with poor results.

Does anyone have any ideas?

ITWhisperer · ‎01-06-2023

Try something like this

| bin span=24h _time as time_bucket
| stats min(_time) as earliest max(_time) as latest by time_bucket id
| eval duration = latest - earliest

View solution in original post

ITWhisperer · ‎01-06-2023

Try something like this

| bin span=24h _time as time_bucket
| stats min(_time) as earliest max(_time) as latest by time_bucket id
| eval duration = latest - earliest

add53 · ‎01-06-2023

That worked great, thanks!

How to create Group events based off a time and an ID?

join

other

timechart

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)