How to create bins for _time that start and end on...

ErikaE · ‎11-12-2015

I am attempting to summarize data by a 12 hour reporting period. The reporting periods start/end at 8.

My search looks like this:

field1=value1 earliest=@w0+8h | transaction maxpause=5m maxspan=2h | bin _time span=12h  | stats sum(duration) by _time

Unfortunately, it produces results starting at 7 am and ending at 7 pm.

I have tried:

changing the value of hours added in earliest : i.e. w0+5h also produces bins that start and end at 7
removing the transaction command from the search and putting in a placeholder for duration
changing the span in the bin command: span of 1h starts at 8 am, all other bin span values i.e. 2, 4 start at 7 am

It seems like something to do with the bin span as the problem, but I don't know how to fix it.

Unfortunately, I can't provide anything but generic examples of my data since I work in industry.

woodcock · ‎11-13-2015

The simplest way is to force a temporary frame of reference that lets things work as they are now, and then shift back at the end, like this:

field1=value1 earliest=@w0+8h | eval _time = _time - 3600 | transaction maxpause=5m maxspan=2h | bin _time span=12h  | stats sum(duration) by _time | eval _time = _time + 3600

How to create bins for _time that start and end on specific hours of the day?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout