Splunk Search

How to show data in a range grouped by specified time period?

DataOrg
Builder

i have below data. i want to represent in a range to group date for 5 days and i want date field to represent(16-08-16 - 16-08-30) count. pls help

    date        count
    16-08-26    14
    16-08-27    4
    16-08-28    14
    16-08-29    30
    16-08-30    34
    16-08-31    30
    16-09-01    6
    16-09-02    4
0 Karma
1 Solution

cmerriman
Super Champion

not knowing if you want 5 or 15 days yet, i have written this:
| eval earliest=relative_time(_time,"@mon-16d@d") |eval latest=relative_time(earliest,"+15d@d")|eval time=strftime(earliest,"%y-%m-%d")+" - "+strftime(latest,"%y-%m-%d")
and you can use time as the field to bucket by. you can adjust the values in the relative_time evals to meet your needs, if you really want only 5 days. these will bring you "17-08-16 - 17-08-31" for example.

View solution in original post

cmerriman
Super Champion

not knowing if you want 5 or 15 days yet, i have written this:
| eval earliest=relative_time(_time,"@mon-16d@d") |eval latest=relative_time(earliest,"+15d@d")|eval time=strftime(earliest,"%y-%m-%d")+" - "+strftime(latest,"%y-%m-%d")
and you can use time as the field to bucket by. you can adjust the values in the relative_time evals to meet your needs, if you really want only 5 days. these will bring you "17-08-16 - 17-08-31" for example.

DataOrg
Builder

Thanks. worked perfectly !

0 Karma

cmerriman
Super Champion

Awesome, i'm glad, just make sure to spot check that the counts all match! I'm sure you already did, but i just like to double check when doing aggregates!

0 Karma

cmerriman
Super Champion

do you mean 16-08-26 - 16-08-30 for a 5 day span or 16-08-16 - 16-08-30 for a 15 day span?

0 Karma

DataOrg
Builder

5 days span

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...