Time Window feature Override with event time field...

liondancer · ‎06-05-2018

I have events that arrive present time but have time fields of something similar to

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100

The event arrived at 2018-06-05 but has time field values of year=2018 month=04 day=01 hour=01
I want to be able to manipulate my time window feature for all events with the same month, day, hour, and year fields

Use case:

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=120
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=10
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=200

For the example events above arrived on 2018-06-01, I want to be able to use my Time Window feature and pick a DateRange in between 2018-04-01 AND 2018-04-02 and the sample events ABOVE will be returned. How can I do so?

I want to make a chart where the X axis is the time fields and the Y axis is the sum() of all the event_count bounded by the Time Window feature against the event time fields.

       X        |    Y
2018-04-01-01       220 
2018-04-01-02       210

Time Window feature Override with event time fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation