Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to timechart the count of assets per month based on a range between two dates for each asset?

john_dagostino
Path Finder
‎06-27-2016 11:24 AM

In my data, I have a list of assets that occur with a "First Found" date as well as a "Last Found" date. I need to generate a timechart so that each asset is counted for the months that they are "active" (eg anything between the first/last found dates). 

asset  first_found  last_found
Host1  01/01/2016   05/01/2016
Host2  03/15/2016   04/01/2016
Host3  02/10/2016   05/01/2016
Host4  05/01/2016   06/26/2016
Host5  03/01/2016

What I'm looking for using the sample data above is a timechart count by month of each asset that occurred during that month. For January, the count would be 1 (Host1), February would be 2 (Host1, Host2), March would be 4 (Host1, Host2, Host3, Host5), etc. Some events will not have the last_found date which means they are still active and should be counted up to and including the current month. Any help would be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-27-2016 04:22 PM

Try this

your base search 
| eval first_found=strptime(first_found, "%m/%d/%Y")  
| eval last_found=strptime(last_found, "%m/%d/%Y") 
| eval last_found=if(isnull(last_found), now(), last_found) 
| eval range=mvrange(first_found, last_found, "1mon") 
| mvexpand range 
| eval range=strftime(range, "%m-%b") 
| chart count over range by asset 
| addtotals

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-27-2016 04:22 PM

Try this

your base search 
| eval first_found=strptime(first_found, "%m/%d/%Y")  
| eval last_found=strptime(last_found, "%m/%d/%Y") 
| eval last_found=if(isnull(last_found), now(), last_found) 
| eval range=mvrange(first_found, last_found, "1mon") 
| mvexpand range 
| eval range=strftime(range, "%m-%b") 
| chart count over range by asset 
| addtotals
0 Karma
Reply
Solved! Jump to solution

john_dagostino
Path Finder
‎06-28-2016 09:44 AM

Thank you, I was able to get a modified version of this to work.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...