Splunk Search

incremental part count per hour

mdmaala
Communicator

hi! in my current project, I have to create an area map where it shows the number of parts per hour, I was able to display that. But I also want to display a target part count for the day and for each hour. In my use case, each hour, the target part count should be 10 and for 24 hours the final target should be 240 parts.

here is my search so far: `|savedsearch rename1
|fields Date_Time Username Green Yellow Red
|rex field=Date_Time "(?P\d{4}\/\d{2}\/\d{2})\s(?P\d{2}:\d{2}:\d{2})"
|sort 0 _time Username Green Yellow Red
|streamstats window=1 current=f list(_time) as prevTime list(Green) as RUN
|bucket Time span=1h |stats list(RUN) as Count1 by Time

| appendcols[|savedsearch rename2
|fields Date_Time Username Green Yellow Red
|rex field=Date_Time "(?P\d{4}\/\d{2}\/\d{2})\s(?P\d{2}:\d{2}:\d{2})"
|sort 0 _time Username Green Yellow Reda
|streamstats window=1 current=f list(_time) as prevTime list(Green) as RUN2
|bucket Time span=1h |stats list(RUN2) as Count2 by Time]

|eval Part_Count = Count1 + Count2
|eval Target = round(24hours*10)
|eval Current = round(currenttime * 10)`

0 Karma

daniel_wilson32
New Member

Have you already debugged that code on some ide or framwork, you could add module which you want to by getting it installed from the authenticated source.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...