Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use another time field to group information by time

bfernandez
Communicator
‎06-11-2012 01:41 PM

Is there any way to use another time field than timestamp to group information by week?

I tried to create a new time field known for splunk with strptime function and use it to group the information in weeks through bucket and chart commands without success.

Query example:

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %H:%M:%S.%l") | table _time, DemoTime, InitialTime

Data output example:

ID Timestamp (_time) DemoTime InitialTime
1 6/8/12 12:45:00.950 PM 1345413600.000000 2012-08-20 00:00:00.000
2 6/8/12 12:45:00.253 PM 1341180000.000000 2012-07-02 00:00:00.000
3 6/8/12 12:44:59.350 PM 1342994400.000000 2012-07-23 00:00:00.000
4 6/8/12 12:44:58.013 PM 1340575200.000000 2012-06-25 00:00:00.000

Commands used:

... | chart f(x) DemoTime span=1w
… | bucket DemoTime span=1w

Any help to solve this problem is appreciated. Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-11-2012 01:49 PM

This doesn't work?

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %T.%q) | bin span=7d DemoTime | stats f(x) by DemoTime

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-11-2012 01:49 PM

This doesn't work?

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %T.%q) | bin span=7d DemoTime | stats f(x) by DemoTime
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-12-2012 09:11 AM

I changed it back so you could see the old search. bin and bucket are the same command, the main difference was the use of stats and the split by DemoTime.

0 Karma
Reply
Solved! Jump to solution

bfernandez
Communicator
‎06-12-2012 02:52 AM

I swear that yesterday you indicated another solution that include bin command and grouping by week.

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=1w as weeks | chart count by weeks

What is the difference between bucket and bin command? it’s supposed to be an alias for bucket command

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...