Getting Data In

Calculate number of events between time intervels

marellasunil
Communicator

Hi,

I would like ti calculate number of events between time in my search.
There are 2 status, exceed & within in my query.
I want to calculate the number of "exceed" events between 11:45 to 1:45 daily.
My query has to run between 22:30 to next day 22:30 to count the total events.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Not 100% sure that I understand your reporting needs;
- the total number of events per 24 hours, counting from 22:30 each day.
- Also, you want a the number of events between 11:45 - 13:45 (assumption) where status=exceed

If you want the 'exceed' events between 11:45 and 01:45 you should change the schedule so that the search runs outside that timeframe, e.g. at 02:00.

So to the answer;

sourcetype = XXX earliest=-1d@d+22h+30m latest=@d+22h+30m 
| stats c as Total
| appendcols 
    [search sourcetype=XXX earliest=-1d@d+11h+45m latest=@d+13h+45m status=exceeded 
    | stats c as "Number of exceeded during my loong lunch"]

Added some indentation so that it's easier to see what happens in the appended search. Set the search to run at 23.00 every day.

As you might guess, the searches operate independently of each other, and the result will look something like;

Total     Number exceeded during my looong lunch
-----     --------------------------------------
124621    9473

Hope this helps,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

Not 100% sure that I understand your reporting needs;
- the total number of events per 24 hours, counting from 22:30 each day.
- Also, you want a the number of events between 11:45 - 13:45 (assumption) where status=exceed

If you want the 'exceed' events between 11:45 and 01:45 you should change the schedule so that the search runs outside that timeframe, e.g. at 02:00.

So to the answer;

sourcetype = XXX earliest=-1d@d+22h+30m latest=@d+22h+30m 
| stats c as Total
| appendcols 
    [search sourcetype=XXX earliest=-1d@d+11h+45m latest=@d+13h+45m status=exceeded 
    | stats c as "Number of exceeded during my loong lunch"]

Added some indentation so that it's easier to see what happens in the appended search. Set the search to run at 23.00 every day.

As you might guess, the searches operate independently of each other, and the result will look something like;

Total     Number exceeded during my looong lunch
-----     --------------------------------------
124621    9473

Hope this helps,

Kristian

marellasunil
Communicator

Hi Kristian, Thank you for the answer, 🙂 It worked, and also I wrote query in different way, and this also worked. 🙂 .. | count(eval(Report="exceed" and (StartTime>"00:00:00.000" and StartTime<"01:45:00.000") OR StartTime>"23:45:00.000")) as "exceeded count".

StartTime field already exist in the logs 😜

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...