Splunk Search

Picking events depending on timestamp

praspai
Path Finder

Hi,

I have a script which gets value for a KPI for each 4 min.

10/9/15
8:44:00.000 AM

KpiId="4185"|kpiName="DocStats.TotalCount: $Host.HostName, $IntegrationServer.Port, $TNServer.Name"|Host.HostName="xxxx.com"|TNServer.Name="TNServer"|IntegrationServer.Port="xxxx"|date="2015-10-09T08:44:00Z"|value="4440407.0"
10/9/15
8:48:00.000 AM

KpiId="1824"|kpiName="DocStats.TotalCount: $Host.HostName, $IntegrationServer.Port, $TNServer.Name"|Host.HostName="xxxx.com"|TNServer.Name="TNServer"|IntegrationServer.Port="xxxx"|date="2015-10-09T08:48:00Z"|value="6792796.0"

10/9/15
8:52:00.000 AM

KpiId="4188"|kpiName="DocStats.TotalCount: $Host.HostName, $IntegrationServer.Port, $TNServer.Name"|IntegrationServer.Port="xxxx"|TNServer.Name="TNServer"|Host.HostName="xxxx.com"|date="2015-10-09T08:52:00Z"|value="4463853.0"

I just want to select event value at each hour. How can I do that ?

Thanks.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

You can do it like this :

... date_minute=0 | table _time value

But you would probably be better off doing an average over the hour like this:

... | timechart span=1h avg(value)

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can do it like this :

... date_minute=0 | table _time value

But you would probably be better off doing an average over the hour like this:

... | timechart span=1h avg(value)
0 Karma

praspai
Path Finder

The value I am getting is cumulative value. I want to find the difference between values at each hour so that I can find out how many requests are processed during the hour.

0 Karma

woodcock
Esteemed Legend

Like this:

... | timechart span=1h count(value) AS numRequestsThisHour

Or:

 ... value=* | timechart span=1h dc(hosts) AS hostsWithRequestsThisHour
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...