Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to group events by date range within 1 second?

dcheng123
Engager
‎03-09-2017 11:54 AM

Sorry if this was a question asked before but i couldn't seem to find it. I am trying to do a group by on _time so that i can aggregate rows with the same time together. However I was wondering if its possible to do a group by on a date range like.. between 1 second or something.
My current search is | stats count(_time) by _time

eg.)

what i have

 _time                                 |    count(_time)   |    col
2017-02-28T05:42:45.000-05:00          |    1              |    A
2017-02-28T05:42:44.000-05:00          |    1              |    A
2017-02-28T08:11:07.000-05:00          |    2              |    B

what I want

 _time                                                 |     count(_time)   |       col
2017-02-28T05:42:45.000-05:00 (grouped up in someway)  |     2              |       A
2017-02-28T08:11:07.000-05:00                          |     2              |       B

since 2017-02-28T05:42:45.000-05:00 and 2017-02-28T05:42:44.000-05:00 are one second apart, i was hoping if its possible to
group them together.

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎03-09-2017 01:47 PM

If you've events like below, the 2nd event can be merged with both first and second, so where should it go Or you want all three events to be merged together?

 _time                                 |    count(_time)   |    col
 2017-02-28T05:42:45.000-05:00          |    1              |    A
 2017-02-28T05:42:44.000-05:00          |    1              |    A
 2017-02-28T05:42:43.000-05:00          |    1              |    A
0 Karma
Reply

niketn
Legend
‎03-09-2017 12:42 PM

Is col your extracted field? Are you looking for group by time every second and not looking for group by col?

<Your Base Search>| stats count as Count by col

Based on what you have asked you can use bin with stats or timechart, either one with span=1s (provided you have multiple rows per second and data flowing in every second. If data flow is not every second you should have a longer span.

| bin _time span=1s
| stats count by _time

Or

| timechart span=1s count by _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

DalJeanis
Legend
‎03-09-2017 12:51 PM

Pretty close. Since dcheng123 wants the col value, we need to include it in the stats. 

 | bin _time span=1s
 | stats count by _time col

Also, timechart chokes on "by _time", since it already assumes it is going to present the data by _time.

 | bin _time span=1s
 | timechart span=1s count by col
0 Karma
Reply

niketn
Legend
‎03-09-2017 01:06 PM

@DalJeanis yes... I was not sure of col field being available since it was not present in the query in question and also question did not mention about stats by col? Lets hope that @dcheng123 issue is resolved 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...