Splunk Search

"bin=2h time" doesn't split the bucket by every 2 hour.

cheriemilk
Path Finder

Hi team,

with below query, I can't get expected result with the bins splitted by every 2 hour which I specified by "| bin span=2h TIME"

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| eval TIME=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h TIME

| stats count by TIME SFDC

 

The result I got from above query is below table. As you see, the TIME column, it's not splitted by 2 hour. What's wrong here?

 

bin with 2h.jpg

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.

View solution in original post

0 Karma

ITWhisperer
Ultra Champion

Use _time instead of time for your bin and stats. If you want the time displayed in a particular format, use fieldformat

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h _time

| stats count by _time SFDC
0 Karma

cheriemilk
Path Finder

Hi @ITWhisperer ,

It works by using _time, but I have another requirement that I want to display the time order in chart descendly, by reverse command , which means latest time and corresponding count are put in left, instead of right.

So with below query, the reverse command doesn't reverse _time actually.  That  why I didn't use _time at first. Any idea?

 

 

index=*bizx_application AND sourcetype=perf_log_bizx AND AutoSaveForm OR SaveFormV2 OR SaveForm

| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

| bin span=2h _time

| stats count by _time SFDC

| chart values(count) by _time SFDC

| reverse

0 Karma

ITWhisperer
Ultra Champion

So the original problem has been solved. Please mark the solution as solving the issue so that others looking for the same issue can find it. As for the reversing the order of time, you already have another question to cover that, so I will post suggestions there.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!