Splunk Search

24 hours time search

pinzer
Path Finder
sourcetype="sophos" pmx_action="keep" fur!="none" | bucket _time span=24h | timechart span="1d" count 

Hi all, i need to do a search that count the events by 24 hours from the time when the search is started, also if is in the middle of a day and not at midnight.

The search above counts by day but if i start the search at 2pm it counts only from midnight to 2pm and not from 2pm of the previous day to 2pm of this day.

0 Karma

sideview
SplunkTrust
SplunkTrust

One idea is just to use eval's now() and relative_time() to muck with the _time values yourself:

<your search> | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d

The events that occurred between now and the same time yesterday will all have the timestamp of yesterday at midnight...

if you want them all to have the timestamp of now(), you'd just tack this onto the end to add the delta back after you've done the bucketing::

| eval _time=_time+secondsElapsedToday


UPDATE: reading your comment, I think it's quite possible that all you need is something much simpler . Maybe you just want to run a search that does this?

a) uses the time arguments to search only from exactly -24h to now.

b) just counts the events. period. and you can divide that number by 24 if you want the average per hour.

This would look like:

sourcetype="sophos" pmx_action="keep" fur!="none" | stats count | eval avg_count=count/24

and the key thing again is to use the timerangepicker's custom mode to set the timerange to exactly (-24h,now)

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

pinzer
Path Finder

Hi, no what i need is to count the events of the last 24 hours from now and to compare it with the daily average of the month with the same time interval.

0 Karma

pinzer
Path Finder

thanks a lot i've done this:

sourcetype="sophos" pmx_action="keep" fur!="none" | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d | stats count by _time | stats last(count) as today_count, avg(count) as avg_count

but if the last day is without events this search shows the number of the previous day. How can i fix this? thanks a lot

0 Karma