Timechart, Timewrap, Streamstats all provide some cool time travel tricks that will allow us to bin and control time with less spl effort than using stats. I think your answer lies within one or more of them depending on the "why" of your use case. Also it sounds like this should ultimately be a dashboard powered off "macros", a report vs an ad-hoc search, so be sure to check those concepts out. If ultimate control is needed, we can do this manually with stats and the "|bin _time". As the other example provided shows, Splunk let's you bend time like Doc and Marty McFly! I always start with Timewrap, because I feel most folks end up trying to implement similar and I can make you dangerous faster :). Plus I'm visual and it helped me conceptualize how Splunk can use time. Here's an example. Counting over time is pretty easy using timechart vs stats. Whats the diff? Timechart implements time for us in the command. Because you care about 20m. I will use the span flag to bin 20m buckets with a time picker of "Today". Also using "dc()" does the dedup for us. Another way to dedup would be to use a split by in your stats vs the "dedup" command. ```Search for access events from specific subnet. Protip: splunk understands CIDR```
index=k8s pod="istio-ingressgateway-757f95b7d9-whsz7" forwarded_for="66.249.0.0/16"
```Use timechart to draw a timeseries, using span to control bins of time, and partial to instuct Splunk to only show complete buckets of time.```
| timechart span=20m partial=f dc(forwarded_for) AS Count Without knowing more about why the 20 minute loopback at the top of the hour is important to you, let's just graph them all and we can filter down to time slices later in the pipe. ```Search for access events from specific subnet. Protip: splunk understands CIDR```
index=k8s pod="istio-ingressgateway-*" forwarded_for="66.249.0.0/16"
```Use timechart to draw a timeseries, using span to control bins of time, and partial to instuct Splunk to only show complete buckets of time.```
| timechart span=20m partial=f dc(forwarded_for) AS Count
```timewrap 1h to lay the time bins over each other automagically. "series" flag just makes the fields easier to work with```
| timewrap 1h As you can see timewrap got me from timechart to wrapped timechart for each hour of "Today" with very little effort. From here we should be able to select the time bucket that provides the number we want...in other words the rows in the results that show the top of each hour. Now...here's where it can go from 0 to 100 real quick...I can then take these time series and iterate over them...I am not saying you need this here...but just to show you how powerful this can be. Especially if your next answers posts is going to be "how do I automate the analysis of these values over time" 😉 ```use short series name on this example```
| timewrap 1h series=short
```rename the first field to "now"```
| rename Count_s0 AS now
```foreach field, eval a new field by calculating a delta when compared to now```
| foreach Count_s*
[ eval d<<MATCHSTR>> = now - <<FIELD>>]
```then use the superpower called streamstats to calculate analytics on the series. I will use a window of 24 because I believe that will be my max and Splunk will probably just to the right thing...lol```
| streamstats window=24 median(d*) as median_*
```review your fields```
| table _time d* Count_* In this example I look back 24 values and calculate a median for each series. PAUSE! That's a lot...now...before we go further I am down a rabbit hole in my own data (default index time fields on Http Event Collector Data) but I digress....I am going to try the other solution provided as well or maybe jam some of that into my answer...but let me know if this getting close to your ultimate goal. I'll add a streamstats version later....which simply implements a more scalable split by option..see my GitHub example.
... View more
