Splunk Search
Highlighted

How to search the percentage of times an event happened within a certain time period each day over a specified time range?

New Member

I am trying to construct a search that will display the percentage of times an event happened before 8 am and percentage of times the event happened after 8 am over the last month or even the last year.

I have not found much in the way of getting started... I think it might have something to do with buckets and possibly a timechart but I am really not sure.

0 Karma
Highlighted

Re: How to search the percentage of times an event happened within a certain time period each day over a specified time range?

SplunkTrust
SplunkTrust

You could try something like this:

<your_search_for_Event> | eval timeBucket = if(tonumber(strftime(_time,"%H"))<8,"Before","After")| stats sum(eval(if(timeBucket=="After",1,0))) as After sum(eval(if(timeBucket=="Before",1,0))) as Before | eval total = After + Before | eval After_Percent = After / total * 100 | eval Before_Percent = Before /total * 100

If you have a key in the event, you can use the normal by clause to split it out, and nothing else will need to change!

0 Karma
Highlighted

Re: How to search the percentage of times an event happened within a certain time period each day over a specified time range?

SplunkTrust
SplunkTrust

Try something like this (example query with _internal data)

index=_internal sourcetype=splunkd log_level=ERROR component=TcpOutputFd | table _time | eval Hour=strftime(_time,"%H") | eval Before8AM=if(Hour<8,1,0) | eval After8PM=if(Hour>20,1,0) | stats count as Total sum(Before8AM) as Before8AM sum(After8PM) as After8PM | eval Before8AM=round(Before8AM*100/Total,2) | eval After8PM=round(After8PM*100/Total,2) | table Before8AM After8PM