- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to get the total count by we...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to get the total count by week and by month?
HI,
Below query gives me output as shown below in sorted order
source=abcd.csv| fields Date,count | stats by Date,count | eval Date=strptime(Date, "%d/%m/%Y") | sort Date | eval Date=strftime(Date, "%d/%m/%Y")
Output:
16/03/2015,10
18/03/2015,20
23/03/2015,5
24/03/2015,15
Could you help me in getting total count by week and month?
i.e., I want the count for week ending 22/mar as 30 and week ending 29/mar as 20. Like wise, need for monthly for february/march,etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%m")|chart count by week_month|replace */01 with */january in week_month|replace */02 with */February in week_month|replace */03 with */martch in week_month ............................
or : source=abcd.csv| bucket span=7d _time| eval week_month=strftime(_time, "%d/%b")|chart count by week_month
here is an example you can take as a template with the _internal index:
index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%m")|chart count by w_month|replace */01 with */january in w_month|replace */02 with */February in w_month|replace */03 with */martch in w_month|replace */04 with */April in w_month
or more simply : index=_internal sourcetype=*|bucket span=7d _time| eval w_month=strftime(_time, "%d/%b")|chart count by w_month
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
try this for count by week
source=abcd.csv|timechart span="1w" count
and the following for count by month
source=abcd.csv|timechart span="4w" count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Following can be used to get the week number in the year.
| eval week=strftime(_time, "%U")
More formats available at https://docs.python.org/2/library/datetime.html#strftime-and-strptime-behavior
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use span with buckets in your search,
eg: |bucket span=7d _time or |bucket span=1mon _time
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Bucket
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Timechart
Hope it can help you.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
