Splunk Search

How to group data by time from csv?

harshal_chakran
Builder

Hi,

I have a csv with two columns, where 1st column is of datetime format :
"%d-%b-%Y %H:%M:%S" i.e. 01-Jan-2014 00:15:00 & second one showing a RESULT (numerical value)

Is it possible to group my RESULT column with respect to one hour and 6 hours and displaying it in a table?
So that in first case I can show only one hour of data and in second case only 6 hours of data.

Kindly Help...!!!

Tags (4)
0 Karma

strive
Influencer

Assuming your CSV column names as Time and Result

Try this

|inputlookup test.csv | eval _time=strptime(Time,"%d-%b-%Y %H:%M:%S") | bucket _time span=6h | stats sum(Result) as Total by _time

The above example is for 6 hour buckets. You can change span for 1 hour buckets.

0 Karma

somesoni2
Revered Legend

Just replace "|stats sum(Result) as Total by _time" with " | table _time Result".

harshal_chakran
Builder

actualy I dont want the sum, only the table with all the values relative to that timestamp

0 Karma

strive
Influencer

With the search that i have given you wont get multiple values for a single timestamp. Give sample input and also expected output. We can modify search as per your requirements

tom_frotscher
Builder

You can use the mvexpand command in this case.
yoursearch | mvexpand RESULTS

But if you used the search mentiond by @strive, you should already have you desired result. Maybe you can post the exact search you used again.

harshal_chakran
Builder

thanks for the answer strive.

Is it possible to show it as :-

timestamp RESULT
01-Jan-2014 00:15:00 1234
01-Jan-2014 00:15:00 3456
01-Jan-2014 00:15:00 6578

what I am getting now is:

timestamp RESULT
01-Jan-2014 00:15:00 1234
3456
6578

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...