Refine your search:

sourcetype="sophos" pmx_action="keep" fur!="none" | bucket _time span=24h | timechart span="1d" count 

Hi all, i need to do a search that count the events by 24 hours from the time when the search is started, also if is in the middle of a day and not at midnight.

The search above counts by day but if i start the search at 2pm it counts only from midnight to 2pm and not from 2pm of the previous day to 2pm of this day.

asked 15 Nov '10, 15:32

pinzer's gravatar image

pinzer
759524
accept rate: 0%


One Answer:

One idea is just to use eval's now() and relative_time() to muck with the _time values yourself:

<your search> | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d

The events that occurred between now and the same time yesterday will all have the timestamp of yesterday at midnight...

if you want them all to have the timestamp of now(), you'd just tack this onto the end to add the delta back after you've done the bucketing::

| eval _time=_time+secondsElapsedToday


UPDATE: reading your comment, I think it's quite possible that all you need is something much simpler . Maybe you just want to run a search that does this?

a) uses the time arguments to search only from exactly -24h to now.

b) just counts the events. period. and you can divide that number by 24 if you want the average per hour.

This would look like:

sourcetype="sophos" pmx_action="keep" fur!="none" | stats count | eval avg_count=count/24

and the key thing again is to use the timerangepicker's custom mode to set the timerange to exactly (-24h,now)

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

link

answered 15 Nov '10, 21:42

sideview's gravatar image

sideview ♦
35.8k7857
accept rate: 48%

edited 24 Nov '10, 23:01

thanks a lot i've done this:

sourcetype="sophos" pmx_action="keep" fur!="none" | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d | stats count by _time | stats last(count) as today_count, avg(count) as avg_count

but if the last day is without events this search shows the number of the previous day. How can i fix this? thanks a lot

(24 Nov '10, 16:44) pinzer

Hi, no what i need is to count the events of the last 24 hours from now and to compare it with the daily average of the month with the same time interval.

(25 Nov '10, 08:49) pinzer
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2,648
×408
×241

Asked: 15 Nov '10, 15:32

Seen: 2,127 times

Last updated: 01 Apr '11, 05:22

Copyright © 2005-2014 Splunk Inc. All rights reserved.