Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I group events by date range?

stocksltd
New Member
‎02-05-2016 12:54 PM

I am trying to combine the STB field by date, but if there is another event within +-1 day, I would like to group those STB into the first date. My results look like this:

LAST_REPORT_DATE    STB           TEL           count
1/31/2016          160767276        5551234567   4
                    160987956       
                    161689512       
                    M91542SI9196        

1/21/2016          M91151EJ4964  5551234567  3
                    M91151EJ4980        
                    M91151EJ4992        

1/22/2016          M91148FA0104  5551234567     1

I'm trying to get it to look like this

LAST_REPORT_DATE    STB           TEL           count
1/31/2016          160767276        5551234567   4
                    160987956       
                    161689512       
                    M91542SI9196        

1/21/2016          M91151EJ4964     5551234567   4
                    M91151EJ4980        
                    M91151EJ4992        
                    M91148FA0104
Tags (4)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-05-2016 02:37 PM

It would be tough to suggest something without knowing your current query/data. Give this a try

Your current search producing above output. | streamstats current=f window=1 values(LAST_REPORT_DATE) as prev | eval LAST_REPORT_DATE=if(abs(strptime(prev,"%m/%d/%Y")-strptime(LAST_REPORT_DATE ,"%m/%d/%Y"))=86400,prev,LAST_REPORT_DATE ) | stats values(STB) as STB values(TEL) as TEL sum(count) as count by LAST_REPORT_DATE
0 Karma
Reply

stocksltd
New Member
‎02-05-2016 07:51 PM

here are the results before i start grouping

TEL LAST_REPORT_DATE STB STB_TIME
5551234567 1/31/2016 161689512 Wed Feb 03 17:03:08 CST 2016
5551234567 1/31/2016 160987956 Wed Feb 03 18:28:22 CST 2016
5551234567 1/31/2016 160767276 Thu Feb 04 13:49:19 CST 2016
5551234567 1/31/2016 M91542SI9196 Thu Feb 04 12:17:59 CST 2016
5551234567 1/21/2016 M91151EJ4992 Fri Jan 22 20:44:35 CST 2016
5551234567 1/21/2016 M91151EJ4964 Sat Jan 23 02:00:06 CST 2016
5551234567 1/22/2016 M91148FA0104 Mon Jan 25 04:03:42 CST 2016
5551234567 1/21/2016 M91151EJ4980 Sat Jan 23 03:24:47 CST 2016

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...