Splunk Search

How to search the results multiple times.

Moreilly97
Path Finder

So I have a set of data with fields such as TimeCreated and TimeAssigned , which after some calculations I am left with the data and a new field which is the time taken to be assigned.

I want to group the data into time blocks, such as amount of events assigned within 30 minutes, 1 hour etc... Not specifically 30 minute intervals though.

I have no problem getting the first block, but how would I search the first results again in order to filter them into another time block.

Any Help is appreciated, thanks.

Edit: An example of what Im doing

Each event is a ticket that has a field called TimeCreated, that is the time the ticket was created by the system, and a field called TimeAssigned, the time it was assigned to a user.

| eval itime=strptime(TimeCreated,"%Y-%m-%d %H:%M:%S") 
| eval otime=strptime(TimeAssigned,"%Y-%m-%d %H:%M:%S") 
| eval TimeDiff=(otime-itime)
| eval field_in_hhmmss=tostring(TimeDiff, "duration") 

This is what I have to find the difference between them, and it works perfectly but what I am looking for is how to filter the results of this search and get,for example, the total tickets assigned before 45minutes, between 1 and 2 hours etc.

0 Karma
1 Solution

niketn
Legend

@Moreilly97, you can try something like the following to create SLA duration. I have created three ranges <=30 min, <=1 hr, <=2hr and >2hr

  <YourBaseSearch>
 | eval itime=strptime(TimeCreated,"%Y-%m-%d %H:%M:%S") , otime=strptime(TimeAssigned,"%Y-%m-%d %H:%M:%S") 
 | eval TimeDiff=(otime-itime)
 | eval SLA=case(TimeDiff<=1800, "<= 30 min",TimeDiff<=3600 AND TimeDiff>1800, "<= 1 hr",TimeDiff<=7200 AND TimeDiff>3600, "<= 2 hr",true(),">2 hr")
 | stats count by SLA

The reason why I was asking for _time was that if it matches with either TimeCreated or TimeAssigned, then you can use _time instead of that field and reduce one strptime() evaluation. However, seems like that would not be possible.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@Moreilly97, you can try something like the following to create SLA duration. I have created three ranges <=30 min, <=1 hr, <=2hr and >2hr

  <YourBaseSearch>
 | eval itime=strptime(TimeCreated,"%Y-%m-%d %H:%M:%S") , otime=strptime(TimeAssigned,"%Y-%m-%d %H:%M:%S") 
 | eval TimeDiff=(otime-itime)
 | eval SLA=case(TimeDiff<=1800, "<= 30 min",TimeDiff<=3600 AND TimeDiff>1800, "<= 1 hr",TimeDiff<=7200 AND TimeDiff>3600, "<= 2 hr",true(),">2 hr")
 | stats count by SLA

The reason why I was asking for _time was that if it matches with either TimeCreated or TimeAssigned, then you can use _time instead of that field and reduce one strptime() evaluation. However, seems like that would not be possible.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Moreilly97
Path Finder

Thanks very much ! This works great.

0 Karma

logloganathan
Motivator

Please provide your modify let me try to give the full query

0 Karma

niketn
Legend

@Moreilly97, you need to provide more explanation with example for community experts to assist you better. Please mock/anonymize any sensitive data/field before posting the same.

Do each event have both TimeCreated and TimeAssigned or is there some key that needs to be used to correlate the two together. Based on your description for each correlated data, do you need to find the duration TimeAssigned- TimeCreated and find the ranges for duration like 30 min or 1 hour etc?

Can you add sample data for TimeAssigned and TimeCreated also your indexed data time stamp _time for each event?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Moreilly97
Path Finder

Hello @niketnilay thanks for the comment.

I have edited my original post with code to better illustrate what Im working with.
An example of how the TimeCreated and TimeAssigned field values look like are: 2018-02-12 13:56:09
and the _time looks like 2018-02-27T17:27:10.000-08:00

0 Karma

logloganathan
Motivator

Please use date command strp and stre.
you can also use regular expression

0 Karma

deepashri_123
Motivator

Hey Moreilly97,

You can use the bin command to group events for particular interval.
Reference: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bin#Examples

Hope this helps!!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...