Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trying to take specific subsets of data. (15 minute resolution rather than 5 minute being stored in splunk).

richmond
New Member
‎05-01-2020 08:19 AM

I have some building occupancy data generated from our wireless network that is logged as one record per floor of each building every 5 minutes.
I'm now trying to export a spreadsheet to another user who has requested a 15 minute resolution of this data. I believe I'm looking for a WHERE clause where the minutes of _time for the event fall within a set of ranges. The data isn't aligned to the clock very well so the first record could be in minute 0 to minute 5, so second would need to be 10-15, etc. But my skill level with using these functions is falling short here. 🙂

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎05-01-2020 02:10 PM 
| bin span=5min _time

try bin to aggregate on each time span.

| timechart span=15min count

However, timechart can be aggregated on any time span.

If you only count the event, here is fastest way:

| tstats count where index=your sourcetype=yours by _time span=15min

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bin
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats

Reply

tauliang
Communicator
‎05-01-2020 08:55 AM

You can specify a sampling ratio of 3 by activating event sampling for your search in Splunk Web.

  1. In Splunk Web, below the Search bar, click No Event Sampling.
  2. You can use one of the default ratios or specify a custom ratio. a. To use one of the default ratios, click the ratio in the Sampling drop-down. b. To specify a custom ratio, click Custom and type the ratio value, e.g, in you case, 3. Then click Apply. Note, the ratio value must be a positive integer greater than 1.

If you 'd like it to be more widely applied, specify the value in ui-prefs.conf. More details could be found in Splunk Docs.

Reply

richmond
New Member
‎05-01-2020 11:09 AM

However this seems to assume that my data is ordered nicely and have it fall nicely on the 1/3 boundary. It's imported from a CSV which is output from another system that orders things oddly and this approach seems to mangle my data.
If I try to sort the data I'm limited to 10,000 of the ~75,000 rows I need

0 Karma
Reply

tauliang
Communicator
‎05-01-2020 01:20 PM

In this case you can do some manual filtering in the query to return events from certain times, e.g., only the events that landed on 0th, 15th, 30th or 45th minutes of any given hour. An example is below:

index=_internal
| eval eventMin=strftime(_time,"%M")
| table _time, eventMin
| search (eventMin=0 OR eventMinute=15 OR eventMinute=30 OR eventMinute=45)

of course, you can adjust the value of eventMinute to whatever you see fit.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Top