Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to take specific subsets of data. (15 minute resolution rather than 5 minute being stored in splunk).

richmond
New Member
‎05-01-2020 08:19 AM

I have some building occupancy data generated from our wireless network that is logged as one record per floor of each building every 5 minutes.
I'm now trying to export a spreadsheet to another user who has requested a 15 minute resolution of this data. I believe I'm looking for a WHERE clause where the minutes of _time for the event fall within a set of ranges. The data isn't aligned to the clock very well so the first record could be in minute 0 to minute 5, so second would need to be 10-15, etc. But my skill level with using these functions is falling short here. 🙂

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎05-01-2020 02:10 PM 
| bin span=5min _time

try bin to aggregate on each time span.

| timechart span=15min count

However, timechart can be aggregated on any time span.

If you only count the event, here is fastest way:

| tstats count where index=your sourcetype=yours by _time span=15min

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats

Reply

tauliang
Communicator
‎05-01-2020 08:55 AM

You can specify a sampling ratio of 3 by activating event sampling for your search in Splunk Web.

  1. In Splunk Web, below the Search bar, click No Event Sampling.
  2. You can use one of the default ratios or specify a custom ratio. a. To use one of the default ratios, click the ratio in the Sampling drop-down. b. To specify a custom ratio, click Custom and type the ratio value, e.g, in you case, 3. Then click Apply. Note, the ratio value must be a positive integer greater than 1.

If you 'd like it to be more widely applied, specify the value in ui-prefs.conf. More details could be found in Splunk Docs.

Reply

richmond
New Member
‎05-01-2020 11:09 AM

However this seems to assume that my data is ordered nicely and have it fall nicely on the 1/3 boundary. It's imported from a CSV which is output from another system that orders things oddly and this approach seems to mangle my data.
If I try to sort the data I'm limited to 10,000 of the ~75,000 rows I need

0 Karma
Reply

tauliang
Communicator
‎05-01-2020 01:20 PM

In this case you can do some manual filtering in the query to return events from certain times, e.g., only the events that landed on 0th, 15th, 30th or 45th minutes of any given hour. An example is below:

index=_internal
| eval eventMin=strftime(_time,"%M")
| table _time, eventMin
| search (eventMin=0 OR eventMinute=15 OR eventMinute=30 OR eventMinute=45)

of course, you can adjust the value of eventMinute to whatever you see fit.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...