topic Re: Timechart with overall count in Splunk Search

Timechart with overall count

yAlff — Thu, 31 Oct 2013 09:42:31 GMT

Hello Answers-Base,

I have a timechart where i see the statistics over some softwareversions --> see example

searchstring | timechart dc(id) by boxsw | rename _time AS Zeit | convert timeformat="%d.%m.%Y" ctime(Zeit)

Now I see a diagramm with the softwareversions in the field, ordnered by time - so far, so good. But I need one more line, that shows how much results were there over time, means all results added.

I just tried something like timechart dc(id) by boxsw, count by id, but Mr Splunk tells me, that the argument count is invalid. Btw I use (and have to use) Splunk 5.0.2.

Do you have a solution?

Thanks and greeting from Germany

Update according to the answer from kristian.kolb:
I think I did not outline my idea clearly.

The table should look like:
Zeit boxsw1 boxsw2 allsw
30.10.2013 2 5 7
31.10.2013 7 20 27

Re: Timechart with overall count

kristian_kolb — Thu, 31 Oct 2013 09:51:16 GMT

...| addcoltotals labelfield=Zeit label=Total

might be what you're looking for, which would add an extra line like so;

Zeit         boxsw1  boxsw2  boxsw3
30.11.2013       33      12       9
31.11.2013       10      12      21
Total            43      24      30

UPDATE:

addtotals is what you're looking for

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/addtotals

Re: Timechart with overall count

yAlff — Thu, 31 Oct 2013 11:12:57 GMT

Thank you for this answer, but that's actually not what I need. I updated my question.

Re: Timechart with overall count

kristian_kolb — Thu, 31 Oct 2013 11:30:46 GMT

see update above

Re: Timechart with overall count

martin_mueller — Thu, 31 Oct 2013 13:20:54 GMT

In general, you could run two searches over the same time range with the same bucket span and join them together over _time. For your example from above

... | timechart dc(id) by boxsw, count by id

it could look like this:

... | timechart dc(id) by boxsw | join _time [search ... | timechart count by id]

You'd get one row per bucket with the columns from both searches.

Re: Timechart with overall count

yAlff — Thu, 31 Oct 2013 13:47:45 GMT

Thank you, that's what I was looking for!