Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

bucket from relative time

yav2810
Explorer
‎12-28-2017 03:19 AM

good day!
when solving the problem of obtaining statistics, they encountered a problem. It is necessary to calculate the average number of events for a specific query. When using the bucket, the information is collected from the beginning of the hour. It is necessary to receive information from the current moment. If it's now 10.15, then you need to collect data from 08.15 to 09.15, then from 09.15 to 10.15 and so on.

query 
| bucket _time span=1h
| stats count as tCount by _time
| eventstats avg(tCount) as aCount
Tags (3)
0 Karma
Reply

naidusadanala
Communicator
‎12-28-2017 07:52 AM

See this answer

https://answers.splunk.com/answers/581635/can-i-use-relative-time-for-bin-span.html

0 Karma
Reply

micahkemp
Champion
‎12-28-2017 07:50 AM

You can use streamstats for that:

query
| streamstats time_window=1h count

time_window
Syntax: time_window=<span-length>
Description: Specifies the window size for the streamstats calculations, based on time. The time_window argument is limited by range of values in the _time field in the events. To use the time_window argument, the events must be sorted in either ascending or descending time order. You can use the window argument with the time_window argument to specify the maximum number of events in a window. For the <span-length>, to specify five minutes, use time_window=5m. To specify 2 days, use time_window=2d.
Default: None. However, the value of the max_stream_window attribute in the limits.conf file applies. The default value is 10000 events.

Note: this may not be a very efficient search, depending on how much data you have. You should probably consider using stats on a smaller time period bucket (perhaps 1min) before piping the results into streamstats, so that you don't run into performance or limits issues. streamstats also retains the raw event and existing extracted fields, so including stats before it would limit that to only fields you actually care about.

query
| bin span=1min _time
| stats count BY _time
| streamstats time_window=1h sum(count) AS count
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎12-28-2017 06:41 AM

I think relative_time will solve your problem

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#relative...

... | eval n=relative_time(now(), "-1d@d")

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...