You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
<code>sourcetype="sophos" pmx_action="keep" fur!="none" | bucket _time span=24h | timechart span="1d" count </code>
Hi all, i need to do a search that count the events by 24 hours from the time when the search is started, also if is in the middle of a day and not at midnight.
The search above counts by day but if i start the search at 2pm it counts only from midnight to 2pm and not from 2pm of the previous day to 2pm of this day.
One idea is just to use eval's now() and relative_time() to muck with the _time values yourself:
<your search> | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d
The events that occurred between now and the same time yesterday will all have the timestamp of yesterday at midnight...
if you want them all to have the timestamp of now(), you'd just tack this onto the end to add the delta back after you've done the bucketing::
| eval _time=_time+secondsElapsedToday
UPDATE: reading your comment, I think it's quite possible that all you need is something much simpler . Maybe you just want to run a search that does this?
a) uses the time arguments to search only from exactly -24h to now.
b) just counts the events. period. and you can divide that number by 24 if you want the average per hour.
This would look like:
sourcetype="sophos" pmx_action="keep" fur!="none" | stats count | eval avg_count=count/24
and the key thing again is to use the timerangepicker's custom mode to set the timerange to exactly (-24h,now)
Numeric Comparison on Eventtype? 2 Answers