topic Re: How to create a time chart with values from eventstats? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273246#M82348 <P>Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.</P> Wed, 14 Dec 2016 12:35:30 GMT rjthibod 2016-12-14T12:35:30Z How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273245#M82347 <P>Hi all.</P> <P>I have a search like this:</P> <PRE><CODE>index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count by AREA limit=100 | addtotals </CODE></PRE> <P>Now, I must replicate with a search like this:</P> <PRE><CODE>index=log sourcetype=data TYPE="PLATFORM" | eventstats sum(QP) AS QTOTAL by AREA | timechart span=1d count(QP) by AREA limit=100 | addtotals </CODE></PRE> <P>but this has been unsuccessful. QP is a number field. I need to show day by day the total by AREA.</P> <P>Suggestions?</P> <P>Thanks!</P> Wed, 14 Dec 2016 12:26:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273245#M82347 changux 2016-12-14T12:26:36Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273246#M82348 <P>Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.</P> Wed, 14 Dec 2016 12:35:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273246#M82348 rjthibod 2016-12-14T12:35:30Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273247#M82349 <P>Hi, thanks. Yes, i need the daily total of QTOTAL.</P> Wed, 14 Dec 2016 12:37:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273247#M82349 changux 2016-12-14T12:37:09Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273248#M82350 <PRE><CODE>index=log sourcetype=data TYPE="PLATFORM" |bucket _time span=1d | chart sum(QP) AS QTOTAL by _time AREA | addtotals </CODE></PRE> <P>does this get you what you need?</P> Wed, 14 Dec 2016 12:41:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273248#M82350 cmerriman 2016-12-14T12:41:14Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273249#M82351 <P>OK, I am still a little confused. Do you need both the QTOTAL per day by AREA and the count of QP events per day by AREA, or just the former?</P> Wed, 14 Dec 2016 12:41:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273249#M82351 rjthibod 2016-12-14T12:41:44Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273250#M82352 <P>Have you just tried:</P> <PRE><CODE> index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d sum(QP) AS QTOTAL by AREA limit=100 | addtotals </CODE></PRE> <P>?</P> Wed, 14 Dec 2016 12:42:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273250#M82352 ktugwell_splunk 2016-12-14T12:42:38Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273251#M82353 <P>Hi. I need only QTOTAL per day.</P> Wed, 14 Dec 2016 12:44:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273251#M82353 changux 2016-12-14T12:44:11Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273252#M82354 <P>Then you want the comment below from @ktugwell</P> Wed, 14 Dec 2016 12:45:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273252#M82354 rjthibod 2016-12-14T12:45:36Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273253#M82355 <P>Let me check...</P> Wed, 14 Dec 2016 12:48:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273253#M82355 changux 2016-12-14T12:48:40Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273254#M82356 <P>Would this work?</P> <P>index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count(QP) sum(QP) AS Total by AREA limit=100</P> Wed, 14 Dec 2016 14:01:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273254#M82356 snoobzilla 2016-12-14T14:01:38Z Re: How to create a time chart with values from eventstats? https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273255#M82357 <P>Works perfect! Thanks! Do you can answer the question with your comment?</P> <P>Thanks!</P> Wed, 14 Dec 2016 19:42:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-time-chart-with-values-from-eventstats/m-p/273255#M82357 changux 2016-12-14T19:42:08Z