I have some incident data in splunk which includes a lot of fields number, created_on etc. Now i query data based on time. There are five cases.
Last 60 minutes
Last 24 hours
Last 30 days
Last 5 weeks
Last 5 months
So every number is created on some specific time which is in created_time.
Now based on the time that i query, what i want is a JSON based on the timestamp.
For example,
If I select 60 minutes, i want incidents that were created in every minute.
At 4:01:00, i want the list of incident numbers.
Then the next list at 4:02:00.
Similarly for last 24 hours,
Between 4:00:00 and 5:00:00 , the list of incident numbers.
And from 5:00:00 and 6:00:00 and so on till next day 4:00:00-5:00:00
Example JSON
{"141000213" : {"IN00102", "IIN9239", "IN3u293"},
"141000234" : {"IN87208"},
"141000225" : {"IN03002", "IIN9239"}
}
Really new to Splunk. If anyone could help me out in this, it would be really helpful.
Related
I need to calculate the number of "working minutes" between two datetime values, lets call them 'Created' and 'Finished'.
'Finished' is always subsequent to 'Created'. The two values can differ by anything from 1 second to several years. The median difference is 50,000 seconds or roughly 14 hours.
Working minutes are defined as those occurring between 0900 to 1700 hours, Monday to Friday; excluding weekends and official holidays in our country.
I decided a lookup table was the way to go, so I generated a table of all work minutes, explicitly excluding weekends, nights and holidays...
CREATE TABLE `work_minutes` (
`min` datetime NOT NULL,
PRIMARY KEY (`min`),
UNIQUE KEY `min_UNIQUE` (`min`)
)
I populated this programatically with all the "working minutes" between years 2017 to 2024, and at this point I started to get the feeling I was being very inefficient as the table began to balloon to several hundred thousand rows.
I can do a lookup easily enough, for instance:
SELECT COUNT(min) FROM `work_minutes` AS wm
WHERE wm.min > '2022-01-04 00:04:03'
AND wm.min <= '2022-02-03 14:13:09';
#Returns 10394 'working minutes' in 0.078 sec
This is good enough for a one-off lookup but to query a table of 70,000 value pairs takes over 90 minutes.
So, I am uncomfortable with the slowness of the query and the sense that the lookup table is unnecessarily bloated.
I am thinking I need to set up two tables, one just for dates and another just for minutes, but not sure how to implement. Date logic has never been my forte. The most important thing to me is that the lookup can query over 70,000 values reasonably quickly and efficiently.
Working in MySQL 5.7.30. Thanks in advance for your expertise.
Divide the timerange to 3 parts - starting and finishing incomplete day parts, and middle part which consists from a lot of complete days. Of course if both starting and finishing time stamps have the same date part then it will be one part only, if their dates are consecutive then you\ll have 2 parts to process.
There is no problem to calculate the number of working minutes in incomplete day part. Common overlapping formula with weekday checking will help.
Create static calendar/service table which starts from the date which is earlier than any possible date in your beginning timestamp with guarantee and includes all dates after any possible date in your finishing timestamp. Calculate cumulative working minutes for each date in the table. This table allows to calculate the amount of working time in any range of complete days with single substraction.
Plan A: Convert the DATETIME values to seconds (from some arbitrary time) via TO_SECONDS(), then manipulate them with simple arithmetic.
Plan B: Use the DATEDIFF() function.
Your COUNT(min) counts the number of rows where min IS NOT NULL. You may as well say COUNT(*). But did you really want to count the number of rows?
I want to represent the time occurrence of an event on a chart.
I'm not familiar with javascript.
Based on the zoom, it could be the number of occurrence for each seconds, or minutes, or hours, or days, ...
I'm using a nodeJS express website, an mySQL database where I have the timestamp of all my events.
A sample of the database:
The Start and Stop period could be severals days/weeks.
I would like to represent the number of disconnection on a chart.
With no zoom, I might get the number of disconnection for each day, by zooming, I might get the number of disconnection for each hours, more each minutes and more each seconds. 0 should be displayed when there is no events.
In the same way as:
https://jsfiddle.net/gh/get/library/pure/highcharts/highcharts/tree/master/samples/highcharts/demo/line-time-series/
Before, for a solution which is not dynamic, I've used a mysql query to get the count for every minutes:
select DATE_FORMAT(time, '%Y-%m-%d %H:%i') as date, count(*) as Count
from db
WHERE event = "disconnected"
group by date
But the result is:
2019-09-18 00:36 4
2019-09-18 18:14 2
2019-10-02 11:43 2
2019-10-02 11:44 1
I would need to get every minutes with 0 when there is not events to get a correct barchart.
Right now, I have this display:
https://jsfiddle.net/pe3ua4t5/3/
I have a database table studentvideos. I want to retrieve data from this table based on week number of month which means for how much time a video is watched in a week and time is specified as totaltime column in table structure and noofviews column specifies how many times a video is watched. Week number is specified as a column in the table structure as wofmonth.
Lets we have a video named vid1, vid1 is watched two time each for 10 secs in week 1 and one time for 10 secs in week 2.
I want to get back response in nested array/JSON form in which I have week number as tag for each week and for each week number video name, sum of the time for which that video is watched in that specific week (E.g. week 1 array will have vid1 with time 20 secs and week 2 array will have vid1 with time 10 secs) and similarly number of time that video is watched in that week.
Screenshot of studentvideos table:
I tried the following query but I don't know how to modify or rewrite the query to get the desired result explained above.
SELECT videoid, sum(noofviews), sum(totaltime) FROM studentvideos group by videoid
Result:
Result of above query:
After trying so many different things the answer to this was simple. I am posting correct answer, may be someone face such a problem in future. Multiple GROUP BY did the trick for me.
Query:
SELECT wofmonth as weekNumber,videoid,sum(noofviews)as totalTime,sum(totaltime) as noOfViews from studentvideos group by wofmonth,videoid
I'm new for mysql, Already value in time field, I want to update extra 5 minutes in time field using query. I tried so many things but not working.
Here my query:
UPDATE STUDENT SET START_TIME = ADDTIME(START_TIME, 500) WHERE ID = 1;
Above query working but one issue is there that is, If my field having 23:55:00.
I want result after executing query 00:00:00 but it updates 24:00:00.
Anyone help me!
Thanks in advance!!
This is bit tricky, because you only have the time, and you want it to wrap around to 0 after hitting 24 hours. My approach is to extract the number of seconds from START_DATE, add 5 minutes, then take the mod of this by 24 hours to wrap around to zero if it exceeds one day's worth of seconds.
UPDATE STUDENT
SET START_TIME = CAST(STR_TO_DATE(CAST(MOD((TIME_TO_SEC(START_TIME) + 300), 86400) AS CHAR(5)), '%s') AS TIME)
WHERE ID = 1
In the demo below, you can see the logic in action which correctly converts 23:55:00 with five minutes added to become 00:00:00.
SQLFiddle
However, the easiest solution in your case might be to just use a DATETIME and ignore the date component. Then the time should wrap automatically to a new day.
select addtime('23:55:00', '00:06:00');
output - 24:01:00 (Ideally it is right, because time datatype represents only time, if it converts to 00:01:00 then time component looses 24hr, which is wrong)
select addtime('2016-09-01 23:55:00', '00:06:00');
output - 2016-09-02 00:01:00 (In this case, 24hr gets added in date so time component is represented as 00:01:00)
If the requirement is to get it as 00:01:00 then here is the workaround -
SELECT TIME((ADDTIME(TIME('23:59:59'), TIME('02:00:00')))%(TIME('24:00:00')));
reference -
ADDTIME() return 24 hour time
I have a column name duration with time in seconds for example i have 28000 seconds now i want to convert the second to hours and sum total number of hours for a users i have list of users with hours works which is stored in seconds like 28000 here my query
SELECT ohrm_project.project_id AS ohrmprojectid, ohrm_project.customer_id,
ohrm_project.name AS ohrm_projectname,
ohrm_timesheet_item.duration AS duration,
ohrm_timesheet_item.date AS date,
TIME_FORMAT(SEC_TO_TIME(sum(ohrm_timesheet_item.duration),"%Hh %im")) as totalhoursworked,
hs_hr_employee.*
FROM ohrm_project,ohrm_timesheet_item,hs_hr_employee
WHERE ohrm_timesheet_item.employee_id=hs_hr_employee.employee_id AND
ohrm_timesheet_item.project_id=ohrm_project.project_id AND
ohrm_project.project_id=2 AND
ohrm_timesheet_item.date BETWEEN '2016-03-31' AND '2016-04-06'
I tried query but i am getting total hours worked but i am not getting in correct i want to get suppose i have two user i want to get total hours work for 1st person and total hours for second user but i am getting only 1 user with total hours of users like this i am passing my screenshot see