Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to find the time frame windo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to find the time frame window with the least amount of events?
bamalone
New Member
07-11-2017
08:30 AM
Hi there,
I am trying to return the top 3 results of three hour windows where an event is least likely to happen based on the past 30 days during working hours (Monday - Friday 9am - 5pm).
So far I have
event name here
| eval day_of_week = strftime(_time,"%A")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday")
| bin span=1d _time
| stats count dc(_time) as days by day_of_week
| eval average_count = count / days
| eventstats avg(average_count)
| sort Average_Count | head 3
| fields day_of_week, count
I am looking to return something like:
Example: Monday 9am - 12pm, Monday 2pm - 5pm and Friday 2pm - 5pm.
An ideas how to improve my search and return what I am looking for? Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-11-2017
08:58 AM
Try like this
your base search
| eval day_of_week = strftime(_time,"%A")
| eval hour=strftime(_time,"%H")
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday") AND (hour>=9 AND hour<17)
| eval period=case(hour>=9 AND hour<12,"9 AM to 12 PM",hour>=12 AND hour<14,"12 PM to 2 PM",1=1,"2 PM to 5 PM")
| bin span=1d _time
| stats count dc(_time) as days by day_of_week period
| eval average_count = count/days
| sort 3 average_count
| eval day_of_week, period, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bamalone
New Member
07-12-2017
01:44 AM
Thanks so much.
However, I would like to return the top 3 x 3 hour time slots with the least amount of events not specific to line 5 in your suggestion.
Something like this instead:
your base search
| eval day_of_week = strftime(_time,"%A")
| eval time= strftime(_time,"%m/%a")." ".strftime(_time,"%H %p")." - ".strftime(Max,"%H %p")
| fieldformat Max=strftime(Max,"%m/%a %H:%M")
| tstats count latest(_time) as Max WHERE index=_internal BY _time span=3h
| where NOT (day_of_week="Saturday" OR day_of_week="Sunday") AND (hour>=9 AND hour<17)
| stats count dc(_time) as days by day_of_week period
| eval average_count = count/days
| sort 3 average_count
| fields day_of_week, period, count
However, the above does not seem to work, can you help me out? Cheers
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
