Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bucket not bucketing Z after calling chart X over Y by Z

kkas
Path Finder
‎06-17-2015 10:10 AM

I am trying to get the output to look like this

Process Name | 10:00:00 | 10:10:00| 10:20:00...etc
_________________________________________________
C:\          |    0       |    3       |     1
C:\          |    1       |   2        |     0

My Search currently looks like this:

search sourcetype="Beta" Account_Name=Alpha|eval time=strftime(_time, "%H:%M:%S")|bucket time span=10m|chart count over New_Process by time

It instead outputs

Process Name | 10:00:01 | 10:00:02| 10:00:03...etc
    _________________________________________________
    C:\          |    0       |    3       |     1
    C:\          |    1       |   2        |     0

Any idea how to fix this? or what may be wrong?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2015 11:14 AM

You can't bucket a string into ten-minute segments, so you will need to reorder your query like so:

 sourcetype="Beta" Account_Name=Alpha | bucket _time span=10m |eval time=strftime(_time, "%H:%M:%S") | chart count over New_Process by time

That will apply the bucketing while the timestamp still is a timestamp, and then turn it into a string you want for neat displaying.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2015 11:14 AM

You can't bucket a string into ten-minute segments, so you will need to reorder your query like so:

 sourcetype="Beta" Account_Name=Alpha | bucket _time span=10m |eval time=strftime(_time, "%H:%M:%S") | chart count over New_Process by time

That will apply the bucketing while the timestamp still is a timestamp, and then turn it into a string you want for neat displaying.

Reply
Solved! Jump to solution

kkas
Path Finder
‎06-17-2015 11:34 AM

Thanks!!! this worked!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-17-2015 10:44 AM

Try this (the last time should be _time😞

 search sourcetype="Beta" Account_Name=Alpha|eval time=strftime(_time, "%H:%M:%S")|bucket time span=10m|chart count over New_Process by _time
0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2015 11:14 AM

That doesn't use the bucketed value at all in the chart.

0 Karma
Reply
Solved! Jump to solution

kkas
Path Finder
‎06-17-2015 11:22 AM

I had tried switching in and out _time for time but it doesn't change the layout like im looking for. only changes between the evaluated format and the original time format

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-17-2015 11:18 AM

You are correct, there was a typo and some extra stuff. it is fixed now; please retry:

  sourcetype="Beta" Account_Name=Alpha|bucket _time span=10m|chart count over New_Process by _time
0 Karma
Reply
Solved! Jump to solution

kkas
Path Finder
‎06-17-2015 11:43 AM

Thanks for your input!
I'm not sure if it works because I don't know how to read the mumbo jumbo time it spits out but I get the same table format as the question stated except the time slots are displayed as follows:
1434553200|1434554400|1434555000|1434555600...etc

I'm not sure if those translate to time 10 minutes apart, but I thought I would let you know what happened for both of our education 🙂
I tried Martin's approach and it worked, but I still appreciate your input as always woodcock!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...