Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to retrieve three 15 minute spans of data per day for a specified date range?

nmohammed
Builder
‎07-15-2015 11:32 AM

I am trying to get data from splunk on the following basis :

get data :

• From June 19 to July 2
• Every day:
o 10:00 AM to 10:15 AM
o 12:00 noon to 12:15 PM
o 2:00 PM to 2:15 PM

I have been using different searches with strftime, but getting 0 results. When I do a search on a per day basis, I am seeing numbers coming up.

My search:

sourcetype=abc type=xyz clientid=123  | eval myHour=strftime(_time, "%H") | eval myMin=strftime(_time, "%M") | where ( myHour <= 10 AND myMin >=00) AND (myHour > 10 AND myMin <=15) | stats count as Calls by _time | fieldformat Calls = tostring(Calls, "commas")

Can someone please help me figure out on how to get the required data ?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2015 04:21 PM

This approach should work, run this from June 19th to July 2nd:

sourcetype=abc type=xyz clientid=123 date_minute>=0 date_minute<15 (date_hour=10 OR date_hour=12 OR date_hour=14) | ...

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2015 04:21 PM

This approach should work, run this from June 19th to July 2nd:

sourcetype=abc type=xyz clientid=123 date_minute>=0 date_minute<15 (date_hour=10 OR date_hour=12 OR date_hour=14) | ...
Reply
Solved! Jump to solution

nmohammed
Builder
‎07-15-2015 05:12 PM

Awesome.. !!! It worked .. Thanks much Martin .

Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎07-15-2015 12:40 PM

i think there's a problem with you where clause... try with this:

| where myHour=10 AND (myMin >=00 AND myMin<=15)

if it still doesn't work check if your evals (myMin and myHour) are showing proper values.

I tested it using some splunk auto extracted date fields and i was getting the proper events

index=_internal | where date_hour=10 AND (date_minute>=00 AND date_minute<=15)
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

nmohammed
Builder
‎07-15-2015 03:56 PM

thanks ., I have tried this out , both ways.. basically I had changed the structure a little here..

sourcetype=abc type=xyz clientid=123 | stats count as Calls by _time | fieldformat Calls = tostring(Calls, "commas") | eval date_hour=strftime(_time, "%H") | eval date_min=strftime(_time, "%M") | where date_hour=10 AND (date_min>=00 AND date_min<=15)

This had certain matching events, but did not produce any results.

I run the query simply and get the numbers , but have to select the date and time range for each day. But this process is very hectic.

sourcetype=abc type=xyz clientid=123 | stats count as Calls --> produces the numbers

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...