Solved: How to count the number of eventts starting at 9 a...

auaave · ‎01-03-2018

Hi Guys,

I have the below query using that is using the shared timepicker: today, which is counting the events from 00:00 to 23:59.
How can I make it to start count the events from 9:00 to 23:59?

| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Thanks a lot!

mayurr98 · ‎01-03-2018

hey try this

your_base_Search earliest=@d+9h latest=now 
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

let me know if this helps you!

View solution in original post

auaave · ‎01-03-2018

@ mayurr98 Great! Thanks! It worked! 🙂

mayurr98 · ‎01-03-2018

you are welcome,
accept and upvote if it works for you!

mayurr98 · ‎01-03-2018

hey try this

your_base_Search earliest=@d+9h latest=now 
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

let me know if this helps you!

micahkemp · ‎01-03-2018

I'm not sure your search in the example makes sense as-is, but perhaps that's due to it being altered for the question. Assuming it's valid, and you want to only include hours after 9am, try this:

<your search> date_hour>=9
| dedup IDEVENT 
| timechart SPAN=1H COUNT AS IDEVENT 
| rename IDEVENT AS " PALLET QUANTITY"

Splunk parses out the timestamp components (date_month, date_mday, date_hour, etc) for each event, so these fields are available to be a part of your base search.

auaave · ‎01-03-2018

Thanks @micahkemp

How to count the number of eventts starting at 9 am each day?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio