Solved: How to pull latest values for every 4 hours time i...

bnikhil0584 · ‎08-09-2022

Hello,

I'm trying to pull the latest values for every 4 hours in a day ie., latest values between the time
00:00:00 to 04:00:00, 04:00:00 to 08:00:00, 08:00:00 to 12:00:000, 12:00:00 to 16:00:00.... Below is the example of how the data looks like. TIA

ITWhisperer · ‎08-09-2022

Assuming StartTime is an epoch time and events are ascending time order

| bin StartTime span=4h
| stats latest(field1) as field1 by StartTime

If not, precede with

| eval StartTime=strptime(StartTime,"%m/%d/%Y %H:%M")
| sort 0 StartTime

View solution in original post

bowesmana · ‎08-09-2022

If you want to align time so that your 4 hours windows are always 0-4, 4-8, 8-12 and so on, then you should use the aligntime parameter to the bin command to align it to the day starting point, otherwise it will bucket the data into 4 hours windows based on the current hour being the last of 4.

| bin _time span=4h aligntime=@d

Note that your startTime appears to be text, so you would also need something like

| eval start_time=strptime(StartTime, "%m/%d/%Y %H:%M")
| bin start_time span=4h aligntime=@d

Note that I assumed US time above, as the data doesn't say either way.

ITWhisperer · ‎08-09-2022

Alternatively, if they are already in descending time order, try this

| bin StartTime span=4h
| dedup StartTime

ITWhisperer · ‎08-09-2022

Assuming StartTime is an epoch time and events are ascending time order

| bin StartTime span=4h
| stats latest(field1) as field1 by StartTime

If not, precede with

| eval StartTime=strptime(StartTime,"%m/%d/%Y %H:%M")
| sort 0 StartTime

How to pull latest values for every 4 hours time interval?

stats

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform