How to create specific timerange fields to group s...

Fleety · ‎11-11-2022

Hello,

I have a collection of logs (same source type) but some of them have different or additional fields. In order to figure out when they appear, I'm trying to create a Query that shows me which fields are distinct after a specific time range.

Let's say I have 200 events from 13:00 to 14:00. Now I want to group by stats values(*) results by creating timerangefields:

| eval timerange1=(13:00 to 13:15), timerange2=(13:15 to 13:30)

so I can use

|stats values(*) by timerange1, timerange2

I was considering using date_hour, date_minute etc.. but I think there must be an easier way as I would need addititional commands. Also I don't know the right format as I get everytime "Type checking failed. '-' only takes numbers. So do you have any suggestions how I could solve this?

I'm thankful for any help

Kind regards

Alex

gcusello · ‎11-11-2022

Hi @Fleety,

see this approach to adapt to your need:

<your_search earliest=-h@h latest=@h
| eval minute=strftime(_time"%M")
| eval timerange=if(minute<=30,"timerange1","timerange2")
 |stats values(*) AS * by timerange

Ciao.

Giuseppe

How to create specific timerange fields to group stats?

eval

stats

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?