Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hourly breakdown of data with math operation

chablist
New Member
‎12-18-2012 03:28 PM

I have a log file that always has the same structure of:
time1,time2,groupNumber

eg:
355350224,338837556,2
1355350228,338837557,2
1355312572,338828143,2
1355350212,338837553,2
1355350216,338837554,2
1355350220,338837555,2
1355350224,338837556,2
1355310304,338827576,2

I want to group the times into buckets of a 1 hour span and then take the resulting count in each of those buckets and divide them by a number lets say 60.

So assume i have 10 items during the 12am-1am window on 12/12 and 5 items during the 1am-2am window on 12/12

This will give me a resulting table looking like:

Time | FunctionEvaluation
12/12 12am | .16667
12/12 1am | .08333

I was able to get close with:
source = Data _raw=",,4" | timechart span=1h count

but i couldn't perform a math operation

and with this i wasn't able to breakdown by time:
source = Data | rex field=_raw ".,.,(?\d+)" | top 20 groupNumber | sort groupNumber | eval reliability = (1 - (count/12960))*100 | fields groupNumber, reliability

Tags (1)
0 Karma
Reply

chablist
New Member
‎12-18-2012 03:39 PM

finally figured it out:
source = Data _raw=",,4" | timechart span=1h count | eval reliability = count/60

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...