Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk conditional count/aggregation

bomran
Explorer
‎03-19-2018 08:55 AM

I have some CSV data about files imported in to Splunk. The data looks like this:

"\\domain\path\to\file\","<filename>","<fsize>","<ext>","<Last_access>","<last_write>","<creation_time>","<attributes>","<owner>"

I have converted all the date strings to epoch using:

| eval epoch_LastAccessTime=strptime(LastAccessTime, "%d/%m/%Y %H:%M:%S")
...
...

I want to get:

  • A percentage of files last accessed between 6 months and 3 years ago
  • A percentage of files last accessed 3 years or more ago.

This is the search query that I have tried before getting stuck:

index="<my_index>" sourcetype="<my_sourcetype>" 
| rex field=DirectoryName "\\\domain\.org\\\teams\\\(?<Team>[^\\\]*)" 
offset_field=_extracted_fields_bounds  
| eval epoch_LastAccessTime=strptime(LastAccessTime, "%d/%m/%Y 
%H:%M:%S") 
| eval _time=epoch_LastAccessTime
| timechart span=6mon count

I've tried using commands along the lines of:

| where epoch_LastAccessTime>=three_year_ago_from_now AND 
epoch_LastAccessTime<=six_months_ago_from_now

However, this excludes everything else (3y+)

I want the result to look something like:

TimeRange  Perc
6m-3y      60%
3y+        40%
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎03-19-2018 09:07 AM

Your nearly on the right track. Instead of using a where to limit your results, use an eval to build a new categorical field. At that point you'll no longer need the timechart.

Something like:

| eval TimeRange=case(epoch_LastAccessTime>=three_year_ago_from_now, "3y+",
                      epoch_LastAccessTime>=six_months_ago_from_now, "6m-3y",
                      0=0, "less than 6m")
| stats count by TimeRange
| eventstats sum(count) as total_count
| eval pct=100*count/total_count

Note "0=0" is used to provide a "default" option, since it's always true.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎03-19-2018 09:07 AM

Your nearly on the right track. Instead of using a where to limit your results, use an eval to build a new categorical field. At that point you'll no longer need the timechart.

Something like:

| eval TimeRange=case(epoch_LastAccessTime>=three_year_ago_from_now, "3y+",
                      epoch_LastAccessTime>=six_months_ago_from_now, "6m-3y",
                      0=0, "less than 6m")
| stats count by TimeRange
| eventstats sum(count) as total_count
| eval pct=100*count/total_count

Note "0=0" is used to provide a "default" option, since it's always true.

0 Karma
Reply
Solved! Jump to solution

bomran
Explorer
‎03-19-2018 09:57 AM

Exactly what I was looking for, thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...