How to group data by time from csv?

harshal_chakran · ‎07-24-2014

Hi,

I have a csv with two columns, where 1st column is of datetime format :
"%d-%b-%Y %H:%M:%S" i.e. 01-Jan-2014 00:15:00 & second one showing a RESULT (numerical value)

Is it possible to group my RESULT column with respect to one hour and 6 hours and displaying it in a table?
So that in first case I can show only one hour of data and in second case only 6 hours of data.

Kindly Help...!!!

strive · ‎07-24-2014

Assuming your CSV column names as Time and Result

Try this

|inputlookup test.csv | eval _time=strptime(Time,"%d-%b-%Y %H:%M:%S") | bucket _time span=6h | stats sum(Result) as Total by _time

The above example is for 6 hour buckets. You can change span for 1 hour buckets.

somesoni2 · ‎08-04-2014

Just replace "|stats sum(Result) as Total by _time" with " | table _time Result".

harshal_chakran · ‎08-04-2014

actualy I dont want the sum, only the table with all the values relative to that timestamp

strive · ‎07-25-2014

With the search that i have given you wont get multiple values for a single timestamp. Give sample input and also expected output. We can modify search as per your requirements

tom_frotscher · ‎07-25-2014

You can use the mvexpand command in this case.
yoursearch | mvexpand RESULTS

But if you used the search mentiond by @strive, you should already have you desired result. Maybe you can post the exact search you used again.

harshal_chakran · ‎07-25-2014

thanks for the answer strive.

Is it possible to show it as :-

timestamp RESULT
01-Jan-2014 00:15:00 1234
01-Jan-2014 00:15:00 3456
01-Jan-2014 00:15:00 6578

what I am getting now is:

timestamp RESULT
01-Jan-2014 00:15:00 1234
3456
6578

How to group data by time from csv?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases