Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use another time field to group information by time

bfernandez
Communicator
‎06-11-2012 01:41 PM

Is there any way to use another time field than timestamp to group information by week?

I tried to create a new time field known for splunk with strptime function and use it to group the information in weeks through bucket and chart commands without success.

Query example:

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %H:%M:%S.%l") | table _time, DemoTime, InitialTime

Data output example:

ID Timestamp (_time) DemoTime InitialTime
1 6/8/12 12:45:00.950 PM 1345413600.000000 2012-08-20 00:00:00.000
2 6/8/12 12:45:00.253 PM 1341180000.000000 2012-07-02 00:00:00.000
3 6/8/12 12:44:59.350 PM 1342994400.000000 2012-07-23 00:00:00.000
4 6/8/12 12:44:58.013 PM 1340575200.000000 2012-06-25 00:00:00.000

Commands used:

... | chart f(x) DemoTime span=1w
… | bucket DemoTime span=1w

Any help to solve this problem is appreciated. Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-11-2012 01:49 PM

This doesn't work?

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %T.%q) | bin span=7d DemoTime | stats f(x) by DemoTime

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-11-2012 01:49 PM

This doesn't work?

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %T.%q) | bin span=7d DemoTime | stats f(x) by DemoTime
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-12-2012 09:11 AM

I changed it back so you could see the old search. bin and bucket are the same command, the main difference was the use of stats and the split by DemoTime.

0 Karma
Reply
Solved! Jump to solution

bfernandez
Communicator
‎06-12-2012 02:52 AM

I swear that yesterday you indicated another solution that include bin command and grouping by week.

sourcetype="peticionesh_proceso_negocio" | eval DemoTime = strptime(InitialTime,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=1w as weeks | chart count by weeks

What is the difference between bucket and bin command? it’s supposed to be an alias for bucket command

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...