Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Run a search for every possible 60 minute period in the past 24 hours?

msarro
Builder
‎03-05-2012 07:38 AM

Greetings everyone. We are using a search against CDR data to calculate the 60 minute period in a day which has the highest number of calls. Currently, we are using this search:

index=AS AND sourcetype=AS_CDR earliest=-61m@m latest=-1m@m AND (host=wdv-as03-01.mydomain.net OR host=wdv-as03-02.mydomain.net)|stats count AS "Number Of Calls"|eval "Hour Ending"=strftime(tostring(now()-60), "%m/%d/%Y %H:%M")|table "Hour Ending" "Number Of Calls"

It is run every minute, and outputs the number of records from -61 minutes to -1 minutes, and the hour/minute that the search was run. We would love to use timechart to do this at the end of the day as opposed to running the search every minute for scalability purposes, but when we tell timechart to run with a maxspan of 60m, it automatically seems to snap to the hour. The issue this causes is - what if our busiest hour of the day is from 1:32 to 2:32 - that busiest timeframe would be split between the 1pm-2pm period, and the 2pm to 3pm period. We need to be able to see that it was the time between 1:32 and 2:32.

Any advice would be very much appreciated.

Tags (1)
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎03-05-2012 08:33 AM

You can use streamstats to calculate this:

index=AS sourcetype=AS_CDR (host=wdv-as03-01.mydomain.net OR host=wdv-as03-02.mydomain.net) earliest=-1441m@m latest=-1m@m
| bin span=1m _time as minute
| stats count as minute_count by minute
| streamstats window=60 sum(count) as hour_count
| eval hour_ending = strftime(minute, "%m/%d/%Y %H:%M")
| table hour_ending hour_count
| sort - hour_count
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...