Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Grouping Activity By Hour Across Months

xbudahx
Explorer
‎12-05-2013 07:59 AM

I am trying to display a line chart on a dashboard which shows activity of a service by time of day. I need to show this over several months to determine what time of day is busiest.

This would be easy, would it not be for a need to eliminate the service calls made by a monitor. These are made once every ten minutes and need to be left out of the results.

I'm using message_id for the count, since I want the call and response (2 separate log entries) to count only once. My issue is that my results are not correct, it seems as if they are being truncated or if my math is somehow off.

The search I'm using is below and any help is much appreciated.

index="platform_osb" sourcetype="OSB" SingleSignOn SVC_ACCT earliest=10/08/2013:0:0:0 latest=@d

| rex field=_raw "message-id:\s+(?P[^,]+)"

| eval searchStartTime=strptime("10/08/2013", "%m/%d/%Y")

| eval reductionFigure=(floor((now()-searchStartTime)/60/60/24)-1)*6

| stats count(message_id) as Count1 By date_hour reductionFigure

| eval Count=Count1-reductionFigure

| table date_hour Count1 Count | fields - Count1

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎12-05-2013 09:29 AM

The problems that I see with your queries is:
Call and Response are two separate entry and if they both have message-id, then by using "|stats count(message_id), you are counting them both.
If message-id field is unique for every set of Call and response events, they you should use "|stats dc(message_id)".
Try it and let me know if it helps.

0 Karma
Reply

xbudahx
Explorer
‎12-09-2013 11:23 AM

Specifically, I made the change to reductionFigure you suggested.

Thanks!

0 Karma
Reply

xbudahx
Explorer
‎12-09-2013 11:22 AM

Thank you.

I did make the change you suggested, however my results remain unchanged.

0 Karma
Reply

somesoni2
Revered Legend
‎12-05-2013 10:14 AM

Ohh my bad, another issue that I see with the search with reductionFigure calculation. The time range for search is "10/08/2013:0:0:0" to "@d"(for today it'll be 12/05/2013:0:0:0". But while calculating reductionFigure, you are considering "10/08/2013:0:0:0" to "now()" (which will be "12/05/2013:13:10:59" by now), so ultimately you are reducing more 13*6 count, which is not correct.
To resolve this either change your latest to "now()" or change the eval command for reductionFigure to "|eval reductionFigure=(floor((relative_time(now(),"@d")-searchStartTime)/60/60/24)-1)*6.

0 Karma
Reply

somesoni2
Revered Legend
‎12-05-2013 10:07 AM

Ohk, my bad. Another issue that I see is with time range. The time range for the search is from "10/08/2013:0:0:0" to "@d" (which is "Current Date(M/D/Y) 00:00:00". But when you're reductionFigure is calculated from "10/08/2013:0:0:0" to "now", which means if you are executing the search at, say 9:00 AM, you're reducing the count by extra 9*6. So in the reductionFigure eval command, instead of "now()", use "relative_time(now(), "@d")"

0 Karma
Reply

xbudahx
Explorer
‎12-05-2013 09:34 AM

Thank you, although I think I misspoke, the call is the only one with SVC_ACCT in it so searching for that is keeping my count distinct.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...