Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

converting this search to hours instead of days

Peterm1993
Explorer
‎11-09-2023 04:52 PM

Hi im trying to convert this search to show totals in hours instead of days/dates can anyone help me please?

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep*
| where Dimension>0 OR ProtrusionError>0 OR OffCentreError>0
| table _time OrderId ProtrusionError OffCentreError Dimension *
| bin _time span=1d
| eval _time=strftime(_time,"%d")
| eval foo=ProtrusionError+OffCentreError+Dimension
| chart sum(foo) as ErrorFrequency over Location by _time useother=f limit=100
| addtotals
| sort 0 - Total _time
| fields - TOTAL

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Peterm1993
Explorer
‎11-09-2023 06:00 PM

figured it out. thanks for your help.

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep*
| where OrientationError>0
| table _time OrderId OrientationError *
| bin _time span=1h
| eval _time=strftime(_time,"%dt%H")
| chart sum(OrientationError) as ErrorFrequency over Location by _time useother=f limit=200
| addtotals
| sort 0 - Total _time
| fields - TOTAL

 

was what i was looking for!

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 06:02 PM

Hi @Peterm1993 .. Please add karma  / upvote the reply which helped you.. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

Peterm1993
Explorer
‎11-09-2023 06:00 PM

figured it out. thanks for your help.

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep*
| where OrientationError>0
| table _time OrderId OrientationError *
| bin _time span=1h
| eval _time=strftime(_time,"%dt%H")
| chart sum(OrientationError) as ErrorFrequency over Location by _time useother=f limit=200
| addtotals
| sort 0 - Total _time
| fields - TOTAL

 

was what i was looking for!

Reply
Solved! Jump to solution

Peterm1993
Explorer
‎11-09-2023 05:50 PM

hi @inventsekar I'm trying to convert the results from a daily result to a hourly breakdown so instead of for example and apologies cause I'm very new to splunk

9/11/23 165 errors

it would be

1am-2am12 errors

2am-3am 35 errors

3am-4am 12 errors

totaling to 165 errors 

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:58 PM

Hi @Peterm1993 .. As Rich suggested, the bin command should be adjusted to hour and then the strftime command should be edited from "%d" to "%H" (if this %H does not work, then, pls copy paste a sample event's _time value... we should double check how the hours looks.. (is it 12 hrs or is it 24 hrs))

Please try this Search Query.. thanks. 

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep*
| where Dimension>0 OR ProtrusionError>0 OR OffCentreError>0
| table _time OrderId ProtrusionError OffCentreError Dimension *
| bin _time span=1h
| eval _time=strftime(_time,"%H")
| eval foo=ProtrusionError+OffCentreError+Dimension
| chart sum(foo) as ErrorFrequency over Location by _time useother=f limit=100
| addtotals
| sort 0 - Total _time
| fields - TOTAL

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2023 05:20 PM

Change the bin command to set the desired interval.  Then adjust the strftime function.

| bin _time span=1h
| eval _time=strftime(_time,"%H")

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-09-2023 05:18 PM

Hi @Peterm1993 .. do you mean, you want to convert number of days to number of hours (days divided by 24) .. OR.. when you are using that strftime, instead of picking up the days(%d), you want to pick up the hours... please confirm.. thanks. 

index=analyst reporttype=DepTrayCaseQty Location=DEP/AutoDep*
| where Dimension>0 OR ProtrusionError>0 OR OffCentreError>0
| table _time OrderId ProtrusionError OffCentreError Dimension *
| bin _time span=1d
| eval Total_time=strftime(_time,"%d")
```Comment - looks like you miss-typed the "Total_time" as "_time"```
| eval foo=ProtrusionError+OffCentreError+Dimension
| chart sum(foo) as ErrorFrequency over Location by _time useother=f limit=100
| addtotals
| sort 0 - Total _time
| fields - TOTAL

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
li.common.scroll-to.top