- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- "bucket _time span=..." has no affect on search re...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to group events with same fields and get a count for every 5 minutes interval. I used the following search string:
index=example | rex field=_raw EXAMPLE(?.+) | spath input=json | stats count by field1 field2 fields3 field4 | bucket _time span=5m
Instead of returning count for every 5 minutes interval, it returned the total count of all time. Is "bucket _time span=..." not supposed to work with stats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! How do you know that your query is returning count every 5 minutes? I think you have to count by _time to know what happen
Try something like this :
index=example | rex field=_raw EXAMPLE(?.+) | spath input=json | bucket _time span=5m| stats count by field1 field2 fields3 field4 _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello! How do you know that your query is returning count every 5 minutes? I think you have to count by _time to know what happen
Try something like this :
index=example | rex field=_raw EXAMPLE(?.+) | spath input=json | bucket _time span=5m| stats count by field1 field2 fields3 field4 _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "bucket" command needs to come before the "stats" command like this:
index=example | rex field=_raw EXAMPLE(?.+) | spath input=json | bucket _time span=5m | stats count by _time field1 field2 fields3 field4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bucket command is for taking an existing field value and putting it into discrete sets... in the case of _time, it would alter events to be in 5 minute segments.
Note the timestamp in your results the results between index=example | head 10 and index=example | head 10 | bucket _time span=5m
As time is a field just like everything else, you can bucket first, and then use _time in your stats command like so:
index=example | rex field=_raw EXAMPLE(?.+) | spath input=json | bucket _time span=5m | stats count by _time field1 field2 fields3 field4
(Notice the change of order of commands and the additional by field). Using bucket after stats does nothing since after stats, _time is no longer is present on the results.
You may also be interested in timechart but that would depend as to what you're doing with each of these.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
