https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395643#M114884 <P>Yeah, the idiom <A href="https://idioms.thefreedictionary.com/pick+up+the+slack">"Pick up someones slack"</A> <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 10 May 2018 23:11:54 GMT xpac 2018-05-10T23:11:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395637#M114878 <P>I have a lookup table with 3 fields: host, user, p_time</P> <P>The events in the lookup table will contain 12 months of data. I have converted p_time to epoch format.</P> <P>Simply, what I'm trying to accomplish is to use timechart command with a span of 1 month using p_time - to view the total number of events each month. As a side note, I would also like to include total number of events over 12 month period.</P> <P>Any help would be appreciated. </P> Thu, 10 May 2018 15:04:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395637#M114878 brdr 2018-05-10T15:04:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395638#M114879 <P>Just add this to the bottom of your existing search:</P> <PRE><CODE>| eval _time = p_time | timechart span=1mon count </CODE></PRE> Thu, 10 May 2018 15:17:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395638#M114879 woodcock 2018-05-10T15:17:48Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395639#M114880 <P>And add following after the timechart command to get total events for whole 12 month period</P> <PRE><CODE>| eventstats sum(count) as TotalEvents </CODE></PRE> Thu, 10 May 2018 15:37:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395639#M114880 somesoni2 2018-05-10T15:37:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395640#M114881 <P>Awesome. thank you both (as always) for responding <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 10 May 2018 16:13:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395640#M114881 brdr 2018-05-10T16:13:04Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395641#M114882 <P>Nice tag-team, @somsoni2. So now you and @daljeanis are both stalking me and fixing my silly oversights and mistakes. Thanks for picking up my slack.</P> Thu, 10 May 2018 17:26:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395641#M114882 woodcock 2018-05-10T17:26:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395642#M114883 <P>Is there another slack than the splunk user group slack ? </P> Thu, 10 May 2018 17:45:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395642#M114883 macadminrohit 2018-05-10T17:45:16Z https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395643#M114884 <P>Yeah, the idiom <A href="https://idioms.thefreedictionary.com/pick+up+the+slack">"Pick up someones slack"</A> <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 10 May 2018 23:11:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-the-timechart-command-to-get-a-certain-amount-of-time/m-p/395643#M114884 xpac 2018-05-10T23:11:54Z