Deployment Architecture

Generate buckets between earliest and latest

gschmitz
Path Finder

Hi all,

I'm looking for something like seq for times in Splunk.

One example:

|seq from=now to=1d span=4h

would generate events with _time as

  • [now+ 0h]
  • [now+ 4h]
  • [now+ 8h]
  • [now+12h]
  • [now+16h]
  • [now+20h]
  • [now+24h]

Do you know of a way to achieve this behavior? bucket and bin work similar, but need a start and end event. That's why the next best thing I could build was

|stats count | fields - count |eval _time=now()-7*24*3600 |append [|stats count | fields - count |eval _time=now()+21*24*3600] | bucket _time span=4h |makecontinuous _time span=4h

which is not very nice to look at and only approximately what I wanted (start and end don't exactly match).

1 Solution

gschmitz
Path Finder

Gentimes. Another hour wasted which Splunk already spent for me 😄

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Gentimes

View solution in original post

gschmitz
Path Finder

Gentimes. Another hour wasted which Splunk already spent for me 😄

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Gentimes

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...