Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to group the data by time and another field?

kuul13
Explorer
‎07-18-2025 01:33 PM

I was able to write a query that group by api (msgsource) to show the response times, but I am trying to see if I can extract the result in a different format. Here is the query I used:

query
| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" 
| eval TimeMilliseconds=(NewTime*1000)
| timechart span=1d count as total,  
count(eval(TimeMilliseconds<=1000)) as "<1sec",
count(eval(TimeMilliseconds>1000 AND TimeMilliseconds<=2000)) as "1sec-2sec"
count(eval(TimeMilliseconds>2000 AND TimeMilliseconds<=5000)) as "2sec-5sec"
count(eval(TimeMilliseconds>48000 )) as "48sec+", by msgsource

Here is the output that I get today:

_timetotal: retrieveApitotal: createApi<1sec: retireveApi<1sec: createApi1sec-2sec: retrieveApi1sec-2sec: createApi2sec-5sec: retrieveApi2sec-5sec: createApi
25-07-131234200120019834101
2025-07-1410003359903308520

 

This is what I would like to see, the results grouped by `_time` and `msgsource` both.

_timemsgsourcetotal<1sec1sec-2sec2sec-5sec
2025-07-13retrieveApi12341200340
2025-07-13createApi20019811
2025-07-14retrieveApi100099082
2025-07-14createApi33533050
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2025 01:25 AM

You still need the timechart from your original search

my query
| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" 
| eval TimeMilliseconds=(NewTime*1000)
| timechart span=1d count as total,  
count(eval(TimeMilliseconds<=1000)) as "<1sec",
count(eval(TimeMilliseconds>1000 AND TimeMilliseconds<=2000)) as "1sec-2sec"
count(eval(TimeMilliseconds>2000 AND TimeMilliseconds<=5000)) as "2sec-5sec"
count(eval(TimeMilliseconds>48000 )) as "48sec+", by msgsource
| untable _time msgsource count
| eval group=mvindex(split(msgsource,": "),0)
| eval msgsource=mvindex(split(msgsource,": "),1)
| eval _time=_time.":".msgsource
| xyseries _time group count
| eval msgsource=mvindex(split(_time,":"),1)
| eval _time=mvindex(split(_time,":"),0)
| table _time msgsource total *

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-19-2025 01:03 AM

As often, there is more than one way to do things in SPL 🙂

query
| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)"

This one is pretty OK. 😉

I'd _not_ go into multiplying it at the moment. You can multiply the aggregate at the end. The performance difference is minuscule but let's optimize it anyway.

| eval timeperiod=case(Time<1,"<1",Time<2,"1<2",Time<5,"<5",Time<48,"5<48",1=1,">48)

This way you have a "classifier" field by which you can do your count

Now instead of timechart you can do

| bin _time span=1d
| stats count by _time timeperiod msgsource

So now we can "pack"

| eval timesource=_time . "|" . msgsource

and table

| xyseries timesource timeperiod count

and split

| eval _time=mvindex(split(timesource,"|"),0),msgsource=mvindex(split(timesource,"|"),1)
| fields - timesource

Warning: I'm writing this "on paper" because I don't have my Splunk instance at hand so it might contain some small syntax mistakes. The idea is there however.

0 Karma
Reply
Solved! Jump to solution

kuul13
Explorer
‎07-20-2025 12:08 AM

Sorry I didn't mention before that I know very basic of Splunk, so I couldn't follow everything you said. Here is the query that I tried and the result:

| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" 
| eval TimeMilliseconds=(NewTime*1000)
| eval timeperiod=case(TimeMilliseconds<1,"<1",TimeMilliseconds<2,"1<2",TimeMilliseconds<5,"<5",TimeMilliseconds<48,"5<48",1=1,">48")
| bin _time span=1d
| stats count by _time timeperiod msgsource
| eval timesource=_time . "|" . msgsource
| xyseries timesource timeperiod count
| eval _time=mvindex(split(timesource,"|"),0),msgsource=mvindex(split(timesource,"|"),1)
| fields - timesource

output looks like this which is not what is expected.

5<48>48_time

msgsource

14392025-07-20createAPI
119432025-07-20RetrieveAPI

 

I was expecting an output something

_timemsgsourcetotal<1s1-2s2-5s>5s

 

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2025 12:17 AM

Right. If you don't have the values, you can use

| fillnull '<1' '1<2' '2<5' '5<48'  '>48'
| addtotals col=f row=t

Alternatively you can fiddle with @ITWhisperer 's approach - use timechart to get the data with already filled with zeros and then retransform its results.

The order of the fields you can change by adding fields command at the end.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-18-2025 03:45 PM

Try something like this

| untable _time msgsource count
| eval group=mvindex(split(msgsource,": "),0)
| eval msgsource=mvindex(split(msgsource,": "),1)
| eval _time=_time.":".msgsource
| xyseries _time group count
| eval msgsource=mvindex(split(_time,":"),1)
| eval _time=mvindex(split(_time,":"),0)
| table _time msgsource total *
0 Karma
Reply
Solved! Jump to solution

kuul13
Explorer
‎07-20-2025 12:15 AM

Sorry, I know very basics of Splunk. I don't think I was able formulate the query you suggested as it return no output. Here is the query I ran:

my query
| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" 
| eval TimeMilliseconds=(NewTime*1000)
| eval timeperiod=case(TimeMilliseconds<1,"<1s",TimeMilliseconds>=1 AND TimeMilliseconds<2,"1-2s",TimeMilliseconds>=2 AND TimeMilliseconds<5,"2-5s",1=1,">5s")
| untable _time msgsource count
| eval group=mvindex(split(msgsource,": "),0)
| eval msgsource=mvindex(split(msgsource,": "),1)
| eval _time=_time.":".msgsource
| xyseries _time group count
| eval msgsource=mvindex(split(_time,":"),1)
| eval _time=mvindex(split(_time,":"),0)
| table _time msgsource total *



0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2025 01:25 AM

You still need the timechart from your original search

my query
| rex field=_raw "Time=(?<NewTime>\d{4}\.\d+)" 
| eval TimeMilliseconds=(NewTime*1000)
| timechart span=1d count as total,  
count(eval(TimeMilliseconds<=1000)) as "<1sec",
count(eval(TimeMilliseconds>1000 AND TimeMilliseconds<=2000)) as "1sec-2sec"
count(eval(TimeMilliseconds>2000 AND TimeMilliseconds<=5000)) as "2sec-5sec"
count(eval(TimeMilliseconds>48000 )) as "48sec+", by msgsource
| untable _time msgsource count
| eval group=mvindex(split(msgsource,": "),0)
| eval msgsource=mvindex(split(msgsource,": "),1)
| eval _time=_time.":".msgsource
| xyseries _time group count
| eval msgsource=mvindex(split(_time,":"),1)
| eval _time=mvindex(split(_time,":"),0)
| table _time msgsource total *
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...