- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is an easy way to display the last 30 days _t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just wanna display last 30days _time in a table
I am using
Index=_internal earliest=-30d | bucket _time span=1d | Dedup _time | table _time
But it’s taking so much time
Is there any other easy way?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you just want to show daily _time in the table you are looking for gentimes command. It is a generating command which starts with a pipe. Please try out and confirm!
| gentimes start=-30 increment=1d
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you just want to show daily _time in the table you are looking for gentimes command. It is a generating command which starts with a pipe. Please try out and confirm!
| gentimes start=-30 increment=1d
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But getimes snaps to a day
It doesn’t show today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add end as +1
| gentimes start=-30 end=+1 increment=1d
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I mean is
If I run the query today 3pm
It shd go back to 30days at 3pm
Could u please say these ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following search
| gentimes start=-30 end=+1 increment=1h
| rename starttime as _time
| timechart count span=1h
| eval _time=strftime(_time,"%Y/%m/%d %H").":00:00"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S")
| eval currentHour=strftime(now(),"%H")
| eval hourFilter=strftime(_time,"%H")
| where currentHour=hourFilter
| table _time
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But still can’t we snap to exact time ?
Like if I run
At 3:33 it shd snap to 30 days back at 3:33
I tried
Increment=1m but it’s not working
Thank you very much
I got what I need but still I wanna learn more about gentimes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@akhil4mdev, based on your last request I had used the following to snap to current hour. For minute you would need to make corresponding changes i.e.
| gentimes start=-30 end=+1 increment=1m
If you need Minute as well you would need to add %M and remove a .00 from string time conversion i.e.
| timechart span=1m count
| eval _time=strftime(_time,"%Y/%m/%d %H:%M").":00"
In Order to return only time ranges for current Hour and Minute for each day final change would be
| eval currentHour=strftime(now(),"%H:%M")
| eval hourFilter=strftime(_time,"%H:%M")
| where currentHour=hourFilter
Final query looks like the following:
| gentimes start=-30 end=+1 increment=1m
| rename starttime as _time
| timechart span=1m count
| eval _time=strftime(_time,"%Y/%m/%d %H:%M").":00"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S")
| eval currentHour=strftime(now(),"%H:%M")
| eval hourFilter=strftime(_time,"%H:%M")
| where currentHour=hourFilter
| table _time
Please try out and confirm. Do up vote the comments that have helped!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to up the vote ? And can I follow you in Linkdin please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you hover over specific comment, you would notice Up Arrow pop-up next to the name which can be clicked to Up Vote.
Splunk Answers also allows you to follow your favorite Splunkter 😉 Also another great place to socialize and get immediate response over chat is to join Splunk related channels on Slack Chat.
Finally, sure... if it helps!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much
I got what I need
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Limiting the fields to just _time and using stats instead of dedup should help:
index=_internal earliest=-30d
| fields _time
| bucket _time span=1d
| stats count by _time
| fields - count
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
