topic Re: Timechart already bucketed logs in Splunk Search

Timechart already bucketed logs

christopherutz — Tue, 26 Oct 2010 22:00:03 GMT

I have a query in which I use bucket to remove some duplicates at certain intervals. I am now trying to timechart this data but I would like to use the buckets I already created rather than using the span or bins option on timechart.

When not specifying a span or bins option timechart defaults and combines the buckets split by the bucket command. Eg.

mysearch |bucket _time span=5m | dedup _time fieldA fieldB | timechart count by fieldA

If I specify a span in the timechart command it seems to work better, however, I am not convinced timechart is not still combining buckets.

mysearch |bucket _time span=5m | dedup _time fieldA fieldB | timechart span=5m count by fieldA

What are my options here?

As an example I have log entries that look like this.

timestamp fieldA=server1 fieldB=unitA 
timestamp fieldA=server1 fieldB=unitB 
timestamp fieldA=server2 fieldB=unitA 
timestamp fieldA=server2 fieldB=unitB 
timestamp fieldA=server2 fieldB=unitB

What I am looking for is a timechart that shows the distinct count of fieldB for each value of fieldA in each bucket. So assuming all the entries above are in one bucket the value for server1 is 2 and for server2 is 2.

Re: Timechart already bucketed logs

sideview — Wed, 27 Oct 2010 01:22:47 GMT

Well I think if you're doing the bucketing by hand with the bucket command, you might as well go all the way and just use stats count by _time, fieldA instead of timechart count by fieldA.

The end result is the same, but when you use stats instead of timechart you'll be sure that really isnt any more bucketing going on.

UPDATE -

1) to get the "timechart showing the distinct count of field A for each value of field B", you'd just do

<everything else> | stats dc(fieldA) by _time, fieldB

2) And the flash chart doesn't care whether the rows and columns come from timechart or some manually bucketed and stats'ed search command. If the table looks right the chart will look right.

Re: Timechart already bucketed logs

christopherutz — Wed, 27 Oct 2010 01:57:22 GMT

This produces the correct table but I am really interested in the chart. Can I get to the chart from stats without using timechart? I have edited the post with an example of what I am looking for.

Re: Timechart already bucketed logs

sideview — Wed, 27 Oct 2010 02:10:31 GMT

Updated my answer. Indeed the Flash Chart doesnt know what the search language was - it just graphs the rows and columns it's given, so the combination of bucket and stats dc(fieldA) by _time, fieldB will work just fine in the chart.