Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Split event for timechart

thuhuongle
Explorer
‎12-23-2020 05:46 AM

Hi, have you tried to do something like this ? I need to calculate the duration and then calculate a % availability line chart(timechart). I could do it with 2 months consecutive but it is not a good solution.
Input:

beginend
2020-03-062020-07-06

 

Expected output:

beginend
2020-03-062020-03-31
2020-04-012020-04-30
2020-05-012020-05-31
 2020-06-012020-06-30
 2020-07-012020-07-06

Thanks in advance.

 

 

| makeresults 
| eval begin = "2020-01-15" , end ="2020-01-30", id="111"
| makemv delim="," id
| makemv delim="," begin
| makemv delim="," end
| append 
    [| makeresults 
| eval begin = "2020-02-15" , end ="2020-02-28", id="111"
| makemv delim="," id
| makemv delim="," begin
| makemv delim="," end]
| append 
    [| makeresults 
| eval begin = "2020-03-06" , end ="2020-07-06", id="111"
| makemv delim="," id
| makemv delim="," begin
| makemv delim="," end]
| append 
    [| makeresults 
| eval begin = "2020-10-15" , end ="2020-10-30", id="111"
| makemv delim="," id
| makemv delim="," begin
| makemv delim="," end]
| append 
    [| makeresults 
| eval begin = "2020-12-15" , end ="2020-12-30", id="111"
| makemv delim="," id
| makemv delim="," begin
| makemv delim="," end]
| eval begin_m = substr(begin,6,2), end_m =  substr(end,6,2)
| eval x= if('begin_m' != 'end_m' ,1,0)
| where x ==1
| fields- begin_m end_m x
| eval end_unix=strptime(end,"%Y-%m-%d")
| eval begin_unix=strptime(begin,"%Y-%m-%d")
| eval begin_new=strftime(relative_time(begin_unix,"+1mon@mon"), "%Y-%m-%d %H:%M:%S+%2Q")
| eval end_new=strftime(relative_time(begin_unix,"+1mon@mon-1second@second"), "%Y-%m-%d %H:%M:%S+%2Q")
| eval end = mvappend(end,end_new), begin = mvappend(begin,begin_new)
| mvexpand end
| mvexpand begin
| eval begin_m = substr(begin,6,2), end_m =  substr(end,6,2)
| eval x= if('begin_m' != 'end_m' ,1,0)
| where x !=1
| fields - begin_m begin_new begin_unix end_m end_new end_unix
| eval end_unix=strptime(end,"%Y-%m-%d")
| eval begin_unix=strptime(begin,"%Y-%m-%d")
| eval duration_d = round((end_unix-begin_unix)/(3600*24),2)
| fields - end_unix begin_unix

 

 

Labels (3)
Labels
0 Karma
Reply

t_shreya
Path Finder
‎12-23-2020 05:51 AM

Hi @thuhuongle ,

I think the span attribute in timechart command may work for you.
https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/SearchReference/Timechart#Span_options

 

0 Karma
Reply

thuhuongle
Explorer
‎12-23-2020 06:34 AM

Hi @t_shreya,
I dont think span could be a solution because i need to split a event to multiple events based on its begin and end accordingly. 
Thanks anyway

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...