topic Timechart based on field value (aggregated event count) rather than number of events in Splunk Search https://community.splunk.com/t5/Splunk-Search/Timechart-based-on-field-value-aggregated-event-count-rather/m-p/44350#M179182 <P>Hi,</P> <P>I get events from a source which already aggregates events. Examples:</P> <PRE><CODE>Apr 24 2012 09:59:59,event_name=FWALL: Matched By Firewall, event_count=5,src_ip=199.80.55.144,src_port=80,src_country=Hong Kong,dst_ip=192.168.1.2,dst_port=22628,dst_country=Switzerland,action=mitigate,proto=TCP Apr 24 2012 09:59:59,event_name=PROTO: HTTP Header Section Too Long, event_count=11,src_ip=212.71.127.101,src_port=80,src_country=Switzerland,dst_ip=192.168.1.2,dst_port=52003,dst_country=Switzerland,action=monitor,proto=TCP </CODE></PRE> <P>So for statistics on total event count I need to evaluate / sum the number in the event_count field.<BR /> So how can I timechart on event_name but evaluate the event_count field rather than the actual number of events collected?</P> <P>Thanks !</P> Sat, 05 May 2012 09:03:39 GMT flle 2012-05-05T09:03:39Z Timechart based on field value (aggregated event count) rather than number of events https://community.splunk.com/t5/Splunk-Search/Timechart-based-on-field-value-aggregated-event-count-rather/m-p/44350#M179182 <P>Hi,</P> <P>I get events from a source which already aggregates events. Examples:</P> <PRE><CODE>Apr 24 2012 09:59:59,event_name=FWALL: Matched By Firewall, event_count=5,src_ip=199.80.55.144,src_port=80,src_country=Hong Kong,dst_ip=192.168.1.2,dst_port=22628,dst_country=Switzerland,action=mitigate,proto=TCP Apr 24 2012 09:59:59,event_name=PROTO: HTTP Header Section Too Long, event_count=11,src_ip=212.71.127.101,src_port=80,src_country=Switzerland,dst_ip=192.168.1.2,dst_port=52003,dst_country=Switzerland,action=monitor,proto=TCP </CODE></PRE> <P>So for statistics on total event count I need to evaluate / sum the number in the event_count field.<BR /> So how can I timechart on event_name but evaluate the event_count field rather than the actual number of events collected?</P> <P>Thanks !</P> Sat, 05 May 2012 09:03:39 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-based-on-field-value-aggregated-event-count-rather/m-p/44350#M179182 flle 2012-05-05T09:03:39Z Re: Timechart based on field value (aggregated event count) rather than number of events https://community.splunk.com/t5/Splunk-Search/Timechart-based-on-field-value-aggregated-event-count-rather/m-p/44351#M179183 <P>If you want the sum of the values in the <CODE>event_count</CODE> field for some interval, just use the statistical function <CODE>sum</CODE>.</P> <PRE><CODE>... | timechart sum(event_count) by event_name </CODE></PRE> Sat, 05 May 2012 09:30:50 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-based-on-field-value-aggregated-event-count-rather/m-p/44351#M179183 Ayn 2012-05-05T09:30:50Z