Solved: Regroup Splunk events with almost similar _time

Zakary_n · ‎01-30-2019

Hello all,

Every 10 seconds, I send a bunch of events to Splunk.
I need to count how many events I receive every 10 sec but I can't get the real number because of the fact that Splunk doesn't regroup them together if their time is even slightly different.

Very simple example :

10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.052 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!
10 : 00 : 10.054 Hello Splunk!

10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.052 Hello Splunk!
10 : 00 : 20.055 Hello Splunk!

Splunk would regroup those events into 4 groups (events at 10.052 , 10.054, 20.052, 20.055) instead of 2 groups (events at 10.50 and at 20.50 for example).

For such an example, I would like to get something like :
10 : 00 : 10.00 -> 4 Hello Splunk
10 : 00 : 20.00 -> 3 Hello Splunk

Is there a workaround to that ?

Thank you.

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

View solution in original post

Zakary_n · ‎01-30-2019

See vishaltaneja07011993's answer.

vishaltaneja070 · ‎01-30-2019

@Zakary_n

Thank you 🙂

vishaltaneja070 · ‎01-30-2019

try using timechart with span=10sec

i.e. |timechart count span=10s

Zakary_n · ‎01-30-2019

Yeah simple as that. Should have thought about that, haven't used Splunk in quite a while. Thank you.

Zakary_n · ‎01-30-2019

Completly forgot about timechart omg! Thank you, doing it atm

Regroup Splunk events with almost similar _time

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...