Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set a standard set for span values

psmp
Explorer
‎12-02-2021 02:15 PM

I have a dhasboard which should show buckets with number of machines by span of time. 

Machine A to F is used for 2 mins

Machines D-T was used for 2hrs

Machine s-Z was used for more than 4hrs

So my graph should show the buckets with time range as a standard set. 

XAxis

<5 mins,

5-30mins

30min - 2hrs

2-4hrs

 > 4hrs

YAxis 

No of machines logged on for <2mins

No of machines logged on for 5-30mins 

and so on.

Logon TimeLogoff TimeMachineNameSessionTimeinMins
12/1/2021 19:3312/1/2021 19:36A3
12/1/2021 16:4612/1/2021 17:04B18
12/1/2021 15:3512/1/2021 15:38C3
12/1/2021 11:3512/1/2021 11:38D120
12/1/2021 16:3512/1/2021 21:35E300

 

Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan

But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket. 

 

Thanks

 

 

Labels (3)
Labels
0 Karma
Reply

psmp
Explorer
‎12-02-2021 03:37 PM

Thank you @ITWhisperer 

How can I match the events that fall under this buckets?  

like Machine A-X will fall under 5-30min as they all have session times in that timerange. 

Thanks for your time and help.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:43 PM

Do you mean something like this?

| stats values(MachineName) as MachineName by sessionSpan
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:01 PM 
| eval sessionSpan=case(SessionTimeInMins<5,"5 mins",SessionTimeInMins<30,"5-30mins",SessionTimeInMins<120,"30min - 2hrs",SessionTimeInMins<240,"2-4hrs",1==1,"> 4hrs")
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...