Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to distribute a value form an event over a given time period?

Finn
Explorer
‎08-01-2022 01:03 AM

Data Model (simplified):

- numeric value "Hours"

- numeric value "StartTime" (assumed to always have time be 00:00:00) in UnixTime

- numeric value "EndTime" (same assumptionm as above) in UnixTime

- calculated from the above two: time period as UnixTime value

- calculated: "Hours" per day

- string value (cathegorical) "Group"

 

Goal:

get a List of Days where each day contains:

- the respective date

- the "Hours per Day" value assigned to a field named after the Group

 

Intention:

create a vizualisation showing what group is needed how much at what time

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2022 05:12 AM

Try something like this

| makeresults
| eval _raw="{
    \"Stunden\":  3,
    \"Gruppe\":  \"WST-M\",
    \"DatumStart\":  \"2022-07-08 00:00:00\",
    \"DatumEnde\":  \"2022-08-31 00:00:00\",
}"
| spath
| eval DatumStart = strptime(DatumStart,"%F %T")
| eval DatumEnde = strptime(DatumEnde,"%F %T")
| eval duration = DatumEnde-DatumStart
| eval days = floor(duration/86400)
| eval hoursPerDay = Stunden/days
| eval day = mvrange(0,days)
| mvexpand day
| eval _time = DatumStart+(day*86400)
| timechart sum(hoursPerDay) by Gruppe

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2022 02:01 AM

Can you share some sample events - preferably in a code block </> (rather than paragraph text or graphic) as it makes it easer to replicate your usecase, and suggest a solution?

Reply
Solved! Jump to solution

Finn
Explorer
‎08-01-2022 02:25 AM

Sure 🙂

This would be the data i am working with:

{
    "Stunden":  3,
    "Gruppe":  "WST-M",
    "DatumStart":  "2022-07-08 00:00:00",
    "DatumEnde":  "2022-08-31 00:00:00",
}

 These are all the relevant fields i am working with.

I already wrote SPL to extract the Unix Times, calculate the duration of the operation and divide the "Stunden" by this duration.

Since alle field names are in german, I will provide some translations below (ignore if not needed)

Stunden - hours

Gruppe - group

Datum - Date

Start - start

Ende - end

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-01-2022 05:12 AM

Try something like this

| makeresults
| eval _raw="{
    \"Stunden\":  3,
    \"Gruppe\":  \"WST-M\",
    \"DatumStart\":  \"2022-07-08 00:00:00\",
    \"DatumEnde\":  \"2022-08-31 00:00:00\",
}"
| spath
| eval DatumStart = strptime(DatumStart,"%F %T")
| eval DatumEnde = strptime(DatumEnde,"%F %T")
| eval duration = DatumEnde-DatumStart
| eval days = floor(duration/86400)
| eval hoursPerDay = Stunden/days
| eval day = mvrange(0,days)
| mvexpand day
| eval _time = DatumStart+(day*86400)
| timechart sum(hoursPerDay) by Gruppe
Reply
Solved! Jump to solution

Finn
Explorer
‎08-01-2022 06:27 AM

Thank you

"You're simply the best" - Tina Turner

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...