https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510066#M2086 <P>Hi everyone,</P><P>I am trying to create a timechart showing distribution of accesses in last 24h filtered through stats command. More precisely I am sorting services with low accesses number but higher than 2 and considerating only 4 less accessed services using this:</P><P>index =<BR />|bin _time span=1h<BR />| stats count by Service _time<BR />| where count&gt;2<BR />| sort 4 count<BR />| rename count as "Access number"<BR />| timechart span=1h count by Service</P><P>&nbsp;</P><P>Results would show services with number of accesses of 1 or 2 in a day despite the where clause. Thank you in advance for your help.</P> Mon, 20 Jul 2020 17:49:18 GMT andy 2020-07-20T17:49:18Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510066#M2086 <P>Hi everyone,</P><P>I am trying to create a timechart showing distribution of accesses in last 24h filtered through stats command. More precisely I am sorting services with low accesses number but higher than 2 and considerating only 4 less accessed services using this:</P><P>index =<BR />|bin _time span=1h<BR />| stats count by Service _time<BR />| where count&gt;2<BR />| sort 4 count<BR />| rename count as "Access number"<BR />| timechart span=1h count by Service</P><P>&nbsp;</P><P>Results would show services with number of accesses of 1 or 2 in a day despite the where clause. Thank you in advance for your help.</P> Mon, 20 Jul 2020 17:49:18 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510066#M2086 andy 2020-07-20T17:49:18Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510073#M2087 <P>The <FONT face="courier new,courier">timechart</FONT> command requires events to be in time order, but the query uses <FONT face="courier new,courier">sort</FONT> to put them in a different order.&nbsp; Try removing the sort.</P> Mon, 20 Jul 2020 17:06:03 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510073#M2087 richgalloway 2020-07-20T17:06:03Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510084#M2090 <P>But if I remove the sort how can I choose the 4 less accessed services?</P><P>This search gives me a list of data :</P><P>| stats count by Service _time<BR />| where count&gt;2<BR />| sort 4 count</P><P>&nbsp;</P><P>for instance&nbsp; in last 24h</P><P>Service&nbsp; &nbsp; &nbsp;|&nbsp; &nbsp; &nbsp; &nbsp; Accesses<BR />A&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; |&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 3</P><P>B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;|&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 5</P><P>&nbsp;</P><P>How can I reproduce a chart that would show me how this services are distributed&nbsp; hour per hour in last 24h?</P> Mon, 20 Jul 2020 18:04:16 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510084#M2090 andy 2020-07-20T18:04:16Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510095#M2091 <P>Re-sort the results by time.</P><LI-CODE lang="markup">index = | bin _time span=1h | stats count by Service _time | where count&gt;2 | sort 4 count | sort _time | timechart span=1h count by Service</LI-CODE><P>&nbsp;</P> Mon, 20 Jul 2020 18:51:49 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510095#M2091 richgalloway 2020-07-20T18:51:49Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510113#M2092 <P>Don't know why but in this way it only shows 1 service which reached 4 accesses in 1 hour, instead&nbsp;I would like to have a hour by hour timechart of the last 4 services by sum of daily events and having sum &gt; 2 .</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 20 Jul 2020 20:06:17 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510113#M2092 andy 2020-07-20T20:06:17Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510126#M2093 <P>Something like this?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="richgalloway_0-1595280763615.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9796iABFF374BC6DD7A28/image-size/medium?v=v2&amp;px=400" role="button" title="richgalloway_0-1595280763615.png" alt="richgalloway_0-1595280763615.png" /></span></P><P>Here's the search that produced it.</P><LI-CODE lang="markup">| gentimes start=07/19/2020 end=07/20/2020 increment=10m | eval Service="Service_".random()%10, _time=starttime ``` Above just sets up test data``` | bin _time span=1h | stats count by Service _time | where count&gt;2 | sort 4 count | timechart span=1h count by Service</LI-CODE> Mon, 20 Jul 2020 21:33:26 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510126#M2093 richgalloway 2020-07-20T21:33:26Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510177#M2094 <P>Yeah something like this is what I'm looking for, but first I need to consider only 4 services with lowest daily count</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="andy_0-1595317390378.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9800iCBF7E385C95F7E32/image-size/medium?v=v2&amp;px=400" role="button" title="andy_0-1595317390378.png" alt="andy_0-1595317390378.png" /></span></P><P>&nbsp;</P> Tue, 21 Jul 2020 07:46:23 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510177#M2094 andy 2020-07-21T07:46:23Z https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510220#M2095 The query I gave you shows only 4 services. Tue, 21 Jul 2020 12:44:00 GMT https://community.splunk.com/t5/Splunk-ITSI/Timechart-after-Stats/m-p/510220#M2095 richgalloway 2020-07-21T12:44:00Z