Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

bin by date that is not the time field

user93
Communicator
‎05-20-2021 11:42 AM

Hi,

So I have a goal to count user visits, but the log polls too frequently, so we are going to define a visit by one user per day. In this instance the data is not yet in splunk, but on an excel spreadsheet. I'm not very good with excel, so I want to add to splunk and use the bin feature.

I have userid and date. I can use either the time field or the date field and I can reformat the date field, but currently the datefield is mm/d/yyyy. I can reformt if makes it easier. 

Once I have my lookup, how do I use the equivalent bin _time span=1d where the time is now a date field? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2021 01:36 PM

The strptime function is pretty easy to work with (but I also think regex is easy  😀).

| inputlookup file.csv
| eval datetime=strptime(foo, "%m/%d/%Y")
| bin span=1d datetime
| stats count by datetime
```Make the datetime field human-readable```
| fieldformat datetime=strftime(datetime, "%m/%d/%Y")

See the Search Reference manual for detail about strptime, strftime, and their format strings.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2021 11:52 AM

The bin command takes a field of your choosing.  Replace _time with the name of your datetime field.  For best results, convert the field into epoch form using strptime before using bin.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

user93
Communicator
‎05-20-2021 12:02 PM

Thanks Rich! I've only used strptime once, I'm now trying to learn how to strip time M/D/Y

 

|inputlookup file.csv

|strptime

|bin

|stats count

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2021 01:36 PM

The strptime function is pretty easy to work with (but I also think regex is easy  😀).

| inputlookup file.csv
| eval datetime=strptime(foo, "%m/%d/%Y")
| bin span=1d datetime
| stats count by datetime
```Make the datetime field human-readable```
| fieldformat datetime=strftime(datetime, "%m/%d/%Y")

See the Search Reference manual for detail about strptime, strftime, and their format strings.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...