get data by time

Learner · ‎12-07-2020

hi all, in my original search im getting data by folloing command:

| stats range(_time) as timetaken by CorrelationID| stats count as Total, avg(timetaken) as AvgResponseTime, perc95(timetaken) as P95ResponseTime

but now, i want this data on hourly basis. so i tried the following script:

 |bin _time span=1d |eval Time=strftime(_time , "%d/%m/%Y %H:%M")| stats range(_time) as timetaken by CorrelationID| stats count as Total, avg(timetaken) as AvgResponseTime, perc95(timetaken) as P95ResponseTime by Time

but this gives me 0 value. i'm seeking for the right way to get data on hourly basis.

richgalloway · ‎12-08-2020

The bin command rounds off _time values to the day so all events that happen on the same day will have the same timestamp (2020-12-08T00:00:00 today, for example). The range(_time) function will return 0 on any given day.

To get hourly data, however, one should use span=1h rather than span=1d and use _time in the by clause of the final stats.

---
If this reply helps you, Karma would be appreciated.

get data by time

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

get data by time

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions