Need help to create search for the same time over ...

GersonGarcia · ‎02-10-2017

All,

I am running this simple search from 12pm to 2pm:

index=ssn sourcetype=app-gmr eventtype=start_job | stats count
30,634 events (2/8/17 12:00:00.000 PM to 2/8/17 2:00:00.000 PM)

I need to generate average of count of the same time but every day past 7 days.

I was able to do this search using:

index=ssn sourcetype=app-gmr eventtype=start_job earliest=@d-7d latest=@d | where date_hour>11 AND date_hour<15| stats count by date_hour | eval avgjobs=count/7

But it is really hard to define the parameters in a dropdown list or timerpick in a Dashboard.

Is there a better option? I want to build a dashboard where the user can select the hours and the amount of days for the average, using the search I built is difficult to operate with date_hour, if the user selects for example 2h starting at 11pm.

Thank you,

mattymo · ‎02-10-2017

timewrap command is baked into 6.5, or see app on splunkbase for pre6.5. You could use that to get your timeseries, then let user set the span using dashboard inputs.

index=_internal host=n00bserver
| timechart span=5m count by host
| timewrap d

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Timewrap

- MattyMo

pradeepkumarg · ‎02-10-2017

May be you can give two drop downs? One for the starting hour and one for the ending hour? You don't have to worry about the duration that way.

GersonGarcia · ‎02-11-2017

Yes I can, it is not about the duration, it is the "method" I used to pick the hours in the day:

where date_hour>11 AND date_hour<15

Let's say the user pick 11pm to 1am (that is 2 hours of data per day during 7 days)

The "equation" will be:

where date_hour>22 AND date_hour<3

That will return 0 always.

Need help to create search for the same time over days

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases