Solved: Re: Group by a particular field over time

VipulGarg19 · ‎04-29-2012

I have some logs which has its logging time and response code among other information. Now I want to know the counts of various response codes over time with a sample rate defined by the user. I am using a form to accept the sample rate from the user.

To convert time into different intervals, I am using -

eval inSec = startTime/(1000*60*sampleR)   | eval inSec= floor(inSec)   | eval inSec=inSec*60*sampleR  | fieldformat inSec = tostring(inSec, "duration")   | eval startTimeInDate=strftime(inSec,"%Y-%m-%d %H:%M:%S")

where sampleR is the sampleRate defined by the user in minutes.

This gives me time in separate intervals for each event. But I am unable to come up with a query which will count the values of distinct response codes in each interval over this startTimeInDate.

Has anybody used this query before?

Thanks and Regards

Ayn · ‎04-30-2012

I think you're overcomplicating things. Have you looked at the timechart and bucket commands? bucket is used to discretize time values in specified timespans, which is what it seems you're trying to do in your query. So in order to take the sample rate sampleR from the user and use it to create intervals, you could do

... | bucket inSec span=$sampleR$m

where $sampleR$ is the variable you retrieved from the user of course.

Once you have buckets of discrete values for inSec, just run stats or chart over it:

...  | stats dc(responseCode) by inSec

EDIT: Based on the further info you gave, this is my understanding of what you want: a timechart with the count of response code occurrences in each timespan. This is how you could do it:

... | chart count over inSec by responseCode

View solution in original post

Ayn · ‎04-30-2012

I think you're overcomplicating things. Have you looked at the timechart and bucket commands? bucket is used to discretize time values in specified timespans, which is what it seems you're trying to do in your query. So in order to take the sample rate sampleR from the user and use it to create intervals, you could do

... | bucket inSec span=$sampleR$m

where $sampleR$ is the variable you retrieved from the user of course.

Once you have buckets of discrete values for inSec, just run stats or chart over it:

...  | stats dc(responseCode) by inSec

EDIT: Based on the further info you gave, this is my understanding of what you want: a timechart with the count of response code occurrences in each timespan. This is how you could do it:

... | chart count over inSec by responseCode

VipulGarg19 · ‎05-08-2012

Thanks Ayn for the Answer. Sorry for the late reply.

Ayn · ‎04-30-2012

Ah, I see. Updating my answer accordingly.

VipulGarg19 · ‎04-30-2012

Hello, Thanks for pointing about the bucket option.

about the next part for "... | stats dc(responseCode) by inSec", I had already tried for this query, but it shows the total number of distinct response codes in each interval/bucket.

Instead I want the count of EACH distinct response code in each interval/bucket. i.e. I want to know how many 200, 400, 503 response codes were there in each bucket rather than how many unique response codes were there in each bucket.

Group by a particular field over time

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification