×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nkumar6
Explorer
Member since: ‎11-21-2019
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎11-21-2019
Activity Feed
View All

Re: How to convert similar rows to adjacent column

by in Splunk Search
‎12-04-2019 01:13 PM
1 Karma
‎12-04-2019 01:13 PM
1 Karma
hi nkumar, Please try the below solution.You could use the solution from "sort" in your actual query. If you want to compare start and end time between weeks - Add a step to increment the previous week's time to one week ahead. Please try and let us know. |makeresults | eval _raw="JOBS,DAY,COUNT,START,END abc.123a,TODAY,22,2019/11/04T02:04:05,2019/11/04T02:05:05 axy.143b,TODAY,15,2019/11/04T04:05:05,2019/11/04T04:12:05 abc.144a,TODAY,23,2019/11/04T12:04:05,2019/11/04T12:14:05 abc.123a,LASTWEEK,12,2019/10/27T02:13:05,2019/10/27T02:15:05 axy.143b,LASTWEEK,53,2019/10/27T04:04:05,2019/10/27T04:05:05" | multikv forceheader=1 | sort JOBS,DAY |stats list(COUNT) as TOTAL_COUNT,list(START) as START,list(END) as END BY JOBS |where mvcount(TOTAL_COUNT)>1 |eval START_TIME=strptime(START,"%Y/%m/%dT%H:%M:%S"),END_TIME=strptime(END,"%Y/%m/%dT%H:%M:%S") |eval TOTAL_COUNT_DIFF=abs(tonumber(mvindex(TOTAL_COUNT,0))-tonumber(mvindex(TOTAL_COUNT,1))) |eval "START_TIME_DIFF in Minutes"=(tonumber(mvindex(START_TIME,1))-tonumber(mvindex(START_TIME,0)))/3600,"END_TIME_DIFF in Minutes"=(tonumber(mvindex(END_TIME,1))-tonumber(mvindex(END_TIME,0)))/3600 |table JOBS,TOTAL_COUNT_DIFF,"START_TIME_DIFF in Minutes","END_TIME_DIFF in Minutes" ... View more

Re: Getting full result in join/append

by in Splunk Search
‎12-05-2019 06:37 AM
1 Karma
‎12-05-2019 06:37 AM
1 Karma
| makeresults count=2 | streamstats count | eval _time = if (count==2,relative_time(_time,"+1d@d"), relative_time(_time,"-8d@d")) | makecontinuous span=5m | where strftime(_time,"%d")==strftime(now(),"%d") OR strftime(_time,"%d")==strftime(relative_time(now(),"-7d@d"),"%d") | eval ITEMS="a".(random() % 5 + 1) | table _time ITEMS please paste this query and search, check it. This query is aim to create sample data. and | eval week=case(strftime(_time,"%d")==strftime(now(),"%d"),"COUNT_TODAY",strftime(_time,"%d")==strftime(relative_time(now(),"-7d@d"),"%d"),"COUNT_LASTWEEK") | chart count over ITEMS by week | eval Difference= COUNT_TODAY - COUNT_LASTWEEK | table ITEMS COUNT_TODAY COUNT_LASTWEEK Difference This query is the logic of calculate what you want . _time ITEM If your log has two fields in this way, my logic should work as well. ... View more

Re: How to create a timechart that makes same sear...

by in Splunk Search
‎11-22-2019 09:07 AM
‎11-22-2019 09:07 AM
Great! Glad to help. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All