Solved: How to get the count of the last 30 days, for a 15...

dwibedi03 · ‎04-03-2020

My index is getting refreshed every 15 mins and new data gets populated every 15 mins.
I need to count the events for the last 15 mins for each day in a period of 30 days.

Currently, I am doing dc(field) for each day but it removes all the duplicates events and my count is not what I want.

I want to get the count of the last 30 days for a 15 mins period for each day without using dc.

woodcock · ‎04-03-2020

Like this (run for Last 30 days)?

... | timechart span=15m count BY source and maybe other fields here
| eval day = strftime(_time, "%Y%m%d")
| reverse
| dedup day

View solution in original post

woodcock · ‎04-03-2020

Like this (run for Last 30 days)?

... | timechart span=15m count BY source and maybe other fields here
| eval day = strftime(_time, "%Y%m%d")
| reverse
| dedup day

richgalloway · ‎04-03-2020

dc is short for distinct_count, which counts the number of unique values, hence duplicates are not counted.
Consider using c or count, instead.

---
If this reply helps you, Karma would be appreciated.

dwibedi03 · ‎04-03-2020

I was doing count and it was giving a sum of whole day

How to get the count of the last 30 days, for a 15 min period for each day- without using dc

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...