Time Window feature Override with event time field...

liondancer · ‎06-05-2018

I have events that arrive present time but have time fields of something similar to

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100

The event arrived at 2018-06-05 but has time field values of year=2018 month=04 day=01 hour=01
I want to be able to manipulate my time window feature for all events with the same month, day, hour, and year fields

Use case:

index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=100
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=01 event_count=120
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=10
index=idx_1 zone=aws event_type=test year=2018 month=04 day=01 hour=02 event_count=200

For the example events above arrived on 2018-06-01, I want to be able to use my Time Window feature and pick a DateRange in between 2018-04-01 AND 2018-04-02 and the sample events ABOVE will be returned. How can I do so?

I want to make a chart where the X axis is the time fields and the Y axis is the sum() of all the event_count bounded by the Time Window feature against the event time fields.

       X        |    Y
2018-04-01-01       220 
2018-04-01-02       210

Time Window feature Override with event time fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation