- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get a field from same time every day, or closest.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to get the value of a field from the same time every day (e.g. midday) over a 'long' time period (e.g. a month) That much is easy.
However is it possible, if that is missing, to get the value of a field from the 'closest' time available that day?
I don't much mind whether the closest is +- as long as I understand how its obtained.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vaijpc, I believe the following search would get you what you need.
The breakdown:
Perform an initial query based on your time set as earliest_time and an appropriate + offset. The stats command will get the value closest to
earliest_timegoing forward in time.Join a secondary query based on your time set as latest_time and an appropriate - offset. The stats command will get the value closest to
latest_timegoing back in time.Compare the time difference between fields returned from each query and take
<field>to be the value based on the smaller offset from the desired time.<your_search> earliest_time=-12h latest_time=-11h | stats first(field) as field1,first(_time) as time1 | eval timeDiff1=time1-(now()-43200) | join[search <your_search> earliest_time=-13h latest_time=-12h | stats last(field) as field,last(_time) as time2 | eval timeDiff2=(now()-43200)-time2] | eval field=if(timeDiff1<=timeDiff2,field1,field2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vaijpc, I believe the following search would get you what you need.
The breakdown:
Perform an initial query based on your time set as earliest_time and an appropriate + offset. The stats command will get the value closest to
earliest_timegoing forward in time.Join a secondary query based on your time set as latest_time and an appropriate - offset. The stats command will get the value closest to
latest_timegoing back in time.Compare the time difference between fields returned from each query and take
<field>to be the value based on the smaller offset from the desired time.<your_search> earliest_time=-12h latest_time=-11h | stats first(field) as field1,first(_time) as time1 | eval timeDiff1=time1-(now()-43200) | join[search <your_search> earliest_time=-13h latest_time=-12h | stats last(field) as field,last(_time) as time2 | eval timeDiff2=(now()-43200)-time2] | eval field=if(timeDiff1<=timeDiff2,field1,field2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess a scheduled search and splunk/bin/fill_summary_index.py could get the job done... not exactly the cleanest solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry. No, this will not help you go get the entire year's midday values in one shot. I would recommend using a script which runs one search for each day and combines the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I can see how this is going to work. The problem is that I want a final result of e.g. an entire year's midday values in one go. I don't think this search will give me that? I'll edit my question to make it clearer.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
