Combine events based on timestamps in event

manuarora12 · ‎11-14-2017

I have events as following
Category=a starttime="2017-11-14 05:25:22"
Category=b starttime="2017-11-14 05:29:22"
Category=b starttime="2017-11-14 04:28:18"
Category=c starttime="2017-11-14 03:22:21"
Category=a starttime="2017-11-14 06:21:28"

I want all events count by Category by hour of occurance as per starttime. _time might be completely different from starttime.

So results should say something like

Hour Category Count
5 a 1
b 1
6 b 1

niketn · ‎11-14-2017

@manuarora12, you can try the following:

<YourBaseSearch>
|  eval _time=strptime(starttime,"%Y-%m-%d %H:%M:%S")
|  timechart span=1h count by Category

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

knielsen · ‎11-14-2017

What about

<your search> | rex field=starttime "\S{10}\s(?<Hour>\d\d)" | stats count by Hour, Category

Regards,
Kai.

Combine events based on timestamps in event

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms