Splunk Search

How to edit my search to get the total count by week and by month?

karthikTIL
Path Finder

HI,

Below query gives me output as shown below in sorted order

source=abcd.csv| fields Date,count | stats by Date,count | eval Date=strptime(Date, "%d/%m/%Y") | sort Date | eval Date=strftime(Date, "%d/%m/%Y")

Output:
16/03/2015,10
18/03/2015,20
23/03/2015,5
24/03/2015,15

Could you help me in getting total count by week and month?

i.e., I want the count for week ending 22/mar as 30 and week ending 29/mar as 20. Like wise, need for monthly for february/march,etc

Tags (4)
0 Karma

stephanefotso
Motivator

Try this:

source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%m")|chart  count by week_month|replace */01 with */january in week_month|replace */02 with */February in week_month|replace */03 with */martch in week_month ............................

or : source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%b")|chart count by week_month

here is an example you can take as a template with the _internal index:

index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%m")|chart  count by w_month|replace */01 with */january in w_month|replace */02 with */February in w_month|replace */03 with */martch in w_month|replace */04 with */April in w_month

or more simply : index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%b")|chart count by w_month

SGF
0 Karma

chimell
Motivator

Hi
try this for count by week

source=abcd.csv|timechart  span="1w" count  

and the following for count by month

source=abcd.csv|timechart  span="4w" count  

vganjare
Builder

Hi,

Following can be used to get the week number in the year.
| eval week=strftime(_time, "%U")

More formats available at https://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior

Thanks!!

0 Karma

neelamssantosh
Contributor

Use span with buckets in your search,
eg: |bucket span=7d _time or |bucket span=1mon _time

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Bucket
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Timechart

Hope it can help you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...