Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Split time period into shorter intervals
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tommasoscarpa1
Path Finder
07-11-2024
03:27 AM
Hello,
I have this data set:
event, start_time, end_time
EV1, 2024/07/11 12:05, 2024/07/11 13:05
EV2, 2024/07/11 21:13, 2024/07/12 04:13
EV3, 2024/07/13 11:22, 2024/07/14 02:44
I need to split the time intervals into hourly intervals. One interval for each row.
Eventually I'm looking for an output like this:
event, start_time, end_time
EV1, 2024/07/11 12:05, 2024/07/11 13:00
EV1, 2024/07/11 13:00, 2024/07/11 13:05
EV2, 2024/07/11 21:13, 2024/07/12 22:00
EV2, 2024/07/11 22:00, 2024/07/12 23:00
EV2, 2024/07/11 23:00, 2024/07/12 00:00
EV2, 2024/07/11 00:00, 2024/07/12 01:00
EV2, 2024/07/11 01:00, 2024/07/12 02:00
EV2, 2024/07/11 02:00, 2024/07/12 03:00
EV2, 2024/07/11 03:00, 2024/07/12 04:00
EV2, 2024/07/11 04:00, 2024/07/12 04:13
EV3, 2024/07/13 11:22, 2024/07/14 12:00
EV3, 2024/07/13 12:00, 2024/07/14 13:00
EV3, 2024/07/13 13:00, 2024/07/14 14:00
EV3, 2024/07/13 14:00, 2024/07/14 15:00
EV3, 2024/07/13 15:00, 2024/07/14 16:00
EV3, 2024/07/13 16:00, 2024/07/14 17:00
EV3, 2024/07/13 17:00, 2024/07/14 18:00
EV3, 2024/07/13 18:00, 2024/07/14 19:00
EV3, 2024/07/13 19:00, 2024/07/14 20:00
EV3, 2024/07/13 20:00, 2024/07/14 21:00
EV3, 2024/07/13 21:00, 2024/07/14 22:00
EV3, 2024/07/13 22:00, 2024/07/14 23:00
EV3, 2024/07/13 23:00, 2024/07/14 00:00
EV3, 2024/07/13 00:00, 2024/07/14 01:00
EV3, 2024/07/13 01:00, 2024/07/14 02:00
EV3, 2024/07/13 02:00, 2024/07/14 02:44
I tried using bin or timechart command but they don't work.
Do you guys have any sugestion?
Thank you,
Tommaso
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tommasoscarpa1
Path Finder
07-11-2024
07:28 AM
I got it:
| eval start_time=strptime(start_time,"%Y/%m/%d %H:%M")
| eval end_time=strptime(end_time,"%Y/%m/%d %H:%M")
| eval range_start_time = relative_time(start_time, "@h")
| eval range_end_time = relative_time(end_time, "+1h@h")
| eval range_start_time=mvrange(range_start_time, range_end_time, "1h")
| mvexpand range_start_time
| eval range_end_time=range_start_time+3600
| eval end_time=min(range_end_time, end_time)
| eval start_time=max(range_start_time, start_time)
| eval start_time=strftime(start_time,"%Y/%m/%d %H:%M")
| eval end_time=strftime(end_time,"%Y/%m/%d %H:%M")
| eval range_start_time=strftime(range_start_time,"%Y/%m/%d %H:%M")
| eval range_end_time=strftime(range_end_time,"%Y/%m/%d %H:%M")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
07-11-2024
03:36 AM
| eval time_start=strptime(time_start,"%Y/%m/%d %H:%M")
| eval time_end=strptime(time_end,"%Y/%m/%d %H:%M")
| eval time_start=mvrange(time_start,time_end,60*60)
| mvexpand time_start
| eval time_end=time_start+(60*60)
| eval time_start=strftime(time_start,"%Y/%m/%d %H:%M")
| eval time_end=strftime(time_end,"%Y/%m/%d %H:%M")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tommasoscarpa1
Path Finder
07-11-2024
03:47 AM
It works like a charm!!
Thank you!!
EDIT-----
No. Sorry My bad. I realized I forgot to mention that timestamps are not always at :00. I've updated the question.
Would you have any suggestion on how to round use your solution to keep into account the minutes?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tommasoscarpa1
Path Finder
07-11-2024
07:28 AM
I got it:
| eval start_time=strptime(start_time,"%Y/%m/%d %H:%M")
| eval end_time=strptime(end_time,"%Y/%m/%d %H:%M")
| eval range_start_time = relative_time(start_time, "@h")
| eval range_end_time = relative_time(end_time, "+1h@h")
| eval range_start_time=mvrange(range_start_time, range_end_time, "1h")
| mvexpand range_start_time
| eval range_end_time=range_start_time+3600
| eval end_time=min(range_end_time, end_time)
| eval start_time=max(range_start_time, start_time)
| eval start_time=strftime(start_time,"%Y/%m/%d %H:%M")
| eval end_time=strftime(end_time,"%Y/%m/%d %H:%M")
| eval range_start_time=strftime(range_start_time,"%Y/%m/%d %H:%M")
| eval range_end_time=strftime(range_end_time,"%Y/%m/%d %H:%M")
Get Updates on the Splunk Community!
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Community Feedback
We Want to Hear from You! Share Your Feedback on the Splunk Community
The Splunk Community is built for you ...
Manual Instrumentation with Splunk Observability Cloud: Implementing the ...
In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...
