How to break out eventstats by day?

fmatera · ‎09-28-2019

I have an eventstats search that is working well. What I am having a difficult time with is that I am unable to return results by day. The field apiid is a common id that ties together multiple events. I need the answer field fromm the smallest apiid in the group and the cr_date from the highest apiid. Here is what I have so far:

    base search 
   | eventstats max(id) as maxid min(id) as minid by apiid 
   | eval mintime=if(id=minid,answer,null()) 
   | eval maxtime=if(id=maxid,cr_date,null()) 
   | stats values(mintime) as mintime values(maxtime) as maxtime by apiid 
   | convert mktime(*time) timeformat="%Y-%m-%d %H:%M:%S" 
   | eval diff=abs(mintime-maxtime) 
   | stats avg(diff) as AvgTime 
   | fieldformat AvgTime=tostring(AvgTime, "duration") 
   | eval AvgTime = round(AvgTime,2)

I have tried different combinations of bucket and timechart but have been unsuccessful.
Thanks in advance!

richgalloway · ‎09-28-2019

What results are you getting so far? What have you tried with bucket and timechart?

The stats command is only returning the 'AvgTime' field. Without also returning _time, timechart won't work.

---
If this reply helps you, Karma would be appreciated.

fmatera · ‎09-28-2019

Thanks. For bucket I added
|bucket span=1d _time
After base search. When running over 7 days, it returns 1 number where I would expect 1 number per day

How to break out eventstats by day?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!