Splunk Search

How to edit my search to get the total count by week and by month?

Path Finder

HI,

Below query gives me output as shown below in sorted order

source=abcd.csv| fields Date,count | stats by Date,count | eval Date=strptime(Date, "%d/%m/%Y") | sort Date | eval Date=strftime(Date, "%d/%m/%Y")

Output:
16/03/2015,10
18/03/2015,20
23/03/2015,5
24/03/2015,15

Could you help me in getting total count by week and month?

i.e., I want the count for week ending 22/mar as 30 and week ending 29/mar as 20. Like wise, need for monthly for february/march,etc

Tags (4)
0 Karma

Motivator

Try this:

source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%m")|chart  count by week_month|replace */01 with */january in week_month|replace */02 with */February in week_month|replace */03 with */martch in week_month ............................

or : source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%b")|chart count by week_month

here is an example you can take as a template with the _internal index:

index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%m")|chart  count by w_month|replace */01 with */january in w_month|replace */02 with */February in w_month|replace */03 with */martch in w_month|replace */04 with */April in w_month

or more simply : index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%b")|chart count by w_month

0 Karma

Motivator

Hi
try this for count by week

source=abcd.csv|timechart  span="1w" count  

and the following for count by month

source=abcd.csv|timechart  span="4w" count  
0 Karma

Builder

Hi,

Following can be used to get the week number in the year.
| eval week=strftime(_time, "%U")

More formats available at https://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior

Thanks!!

0 Karma

Contributor

Use span with buckets in your search,
eg: |bucket span=7d _time or |bucket span=1mon _time

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Bucket
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Timechart

Hope it can help you.

0 Karma