Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group data by time from csv?

harshal_chakran
Builder
‎07-24-2014 10:55 PM

Hi,

I have a csv with two columns, where 1st column is of datetime format :
"%d-%b-%Y %H:%M:%S" i.e. 01-Jan-2014 00:15:00 & second one showing a RESULT (numerical value)

Is it possible to group my RESULT column with respect to one hour and 6 hours and displaying it in a table?
So that in first case I can show only one hour of data and in second case only 6 hours of data.

Kindly Help...!!!

Tags (4)
0 Karma
Reply

strive
Influencer
‎07-24-2014 11:54 PM

Assuming your CSV column names as Time and Result

Try this

|inputlookup test.csv | eval _time=strptime(Time,"%d-%b-%Y %H:%M:%S") | bucket _time span=6h | stats sum(Result) as Total by _time

The above example is for 6 hour buckets. You can change span for 1 hour buckets.

0 Karma
Reply

somesoni2
Revered Legend
‎08-04-2014 05:39 AM

Just replace "|stats sum(Result) as Total by _time" with " | table _time Result".

Reply

harshal_chakran
Builder
‎08-04-2014 04:07 AM

actualy I dont want the sum, only the table with all the values relative to that timestamp

0 Karma
Reply

strive
Influencer
‎07-25-2014 07:26 AM

With the search that i have given you wont get multiple values for a single timestamp. Give sample input and also expected output. We can modify search as per your requirements

Reply

tom_frotscher
Builder
‎07-25-2014 05:28 AM

You can use the mvexpand command in this case.
yoursearch | mvexpand RESULTS

But if you used the search mentiond by @strive, you should already have you desired result. Maybe you can post the exact search you used again.

Reply

harshal_chakran
Builder
‎07-25-2014 02:23 AM

thanks for the answer strive.

Is it possible to show it as :-

timestamp RESULT
01-Jan-2014 00:15:00 1234
01-Jan-2014 00:15:00 3456
01-Jan-2014 00:15:00 6578

what I am getting now is:

timestamp RESULT
01-Jan-2014 00:15:00 1234
3456
6578

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...