Splunk Search

How to get 1 row per bucket in a timechart

Splunkster45
Communicator

Currently, a log file is being written to every 5 minutes that displays each user logged in at that specific point in time.

If I have
5 users on at 13:01
6 users on at 13:06
7 users on at 13:11
8 users on at 13:16
5 users on at 13:21
7 users on at 13:26

I'd like to see one row output corresponding to 1:00 with a value of 8.

When I run this command

     ...| timechart distinct_count(user)  | bucket _time span=30m | makecontinuous _time span=30m

The 6 rows previously mentioned are still there, but their timestamp has been bucketed to 13:00. How do I get 1 row per bucket (half hour) with a value corresponding to the max of the values in that row.

Thanks and have a great weekend!

Tags (2)
0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

timechart already invokes makecontinuous internally and it also invokes bucket _time. So you would only need those if you wanted to use stats for some reason (and there are many reasons, but none required to get what you want)

What your asking for (bucketing one row per 30 minute bucket) would be what timechart dc(user) span=30m produces. is there something about that output that isn't what you want?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

timechart already invokes makecontinuous internally and it also invokes bucket _time. So you would only need those if you wanted to use stats for some reason (and there are many reasons, but none required to get what you want)

What your asking for (bucketing one row per 30 minute bucket) would be what timechart dc(user) span=30m produces. is there something about that output that isn't what you want?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Splunkster45
Communicator

Thanks for pointing this out. I looked this again today and it is doing exactly what you said and what I want. Funny things start to happen when you stare at a screen too long on a Friday.

I didn't know that about timechart. I think I used stats before needed those commands. Sure enough, when I got rid of makecontinuous, it didn't change the visualization. timechart dc(user) span=30m makes my search string look much cleaner.

Thanks again!

rsennett_splunk
Splunk Employee
Splunk Employee

Awesome! Glad it was a simple solution. Sometimes all it does take... as another pair of eyeballs. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...