Splunk Search

Timechart distribution of stats count result

jgcsco
Path Finder

I am trying to do the following search:

Log file looks like

2012-12-01 11:00:00 id=B starttime=2012-12-02T08:00:00 length=100
2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:00 length=150
2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:01 length=100
2012-12-01 11:00:00 id=D starttime=2012-12-02T08:00:00 length=110
2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:20 length=100
2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:00 length=200
....

First, I need to find out how many unique values of "id + starttime + length"

mysearch| eval output = (id + ";" + starttime + ";" + length)  | stats count AS key by output 

Then I would like to find out on an hourly basis, the distribution of the key, e.g. how many keys occurred once, twice, 10, 20, etc.. hourly?

I have been struggling with it. Any suggestions?

Thanks

0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

Yoursearch   | bucket _time span=1h | eval output= (id + ";" + starttime + ";" + length) | stats count as KeyCount  by _time output | eventstats dc(output) as UniqueKeys

View solution in original post

somesoni2
Revered Legend

Try something like this

Yoursearch   | bucket _time span=1h | eval output= (id + ";" + starttime + ";" + length) | stats count as KeyCount  by _time output | eventstats dc(output) as UniqueKeys

jgcsco
Path Finder

thanks, will give it a try!

0 Karma

jensonthottian
Contributor

Use this -
mysearch | bucket _time span=1h | eval output = (id + ";" + starttime + ";" + length) |stats count by _time,output.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...