topic Re: Simple question about timecharts in Splunk Search

Simple question about timecharts

nebel — Thu, 26 Apr 2012 15:33:06 GMT

Hi there,

I have a field with values, like 2, 4 or 10.
Now I want to use a timechart or a chart which display 2, 4 or 10 in a graph over the time. I struggeling because Splunk always use the event and not the content of the event.

when I perform a search like this

index=firewall | sourcetype=cisco | multikv fields connections | timechart avg(connections) by node

I just get average values of the connections - I want to use the real values in the field connections without using any mathematical constructions.

Thanks in advance

Cheers

Re: Simple question about timecharts

RicoSuave — Thu, 26 Apr 2012 19:38:36 GMT

index=firewall | sourcetype=cisco | multikv fields connections | bucket _time span=1h as time | chart sum(connections) over time by node

you'll probably have to fool around with the span time, but that should do it.

Re: Simple question about timecharts

Ayn — Thu, 26 Apr 2012 19:57:00 GMT

Some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg, like you have done:

... | timechart span=1m avg(connections) by node

Or, if you only want the values from the first of the events within the time period, use first instead of avg. Want the sum? Use sum. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

There's also a second way to do this, which is to produce a table containing timestamps and values yourself and then feed them into the chart.

... | table _time connections

Re: Simple question about timecharts

nebel — Thu, 26 Apr 2012 19:59:17 GMT

I think we have a misunderstanding I want to know how I can use the values IN the field. for instance, connections=2 at 3 pm and connections=8 at 4 pm. So I want to have a graph which displays once the connections 2 and 8 over the time 3 and 4 pm.

For me it is important to display the real numbers in my time chart without having avg etc.
I don't need it in a table.

You know what I mean?

Re: Simple question about timecharts

Ayn — Thu, 26 Apr 2012 20:51:15 GMT

I know, and that's the problem I'm addressing in my answer. There are two suggested ways of solving it in there - what are your objections to either way?

Re: Simple question about timecharts

colinmchugo — Wed, 12 Jul 2017 14:46:15 GMT

I have panels that produce a number using the stat command (stats count | where count=0] | stats count) at the end of each panels calculations with a field that ensures not n/a. What i want to do is show the trend of this number over the last 24 hours or week. I was considering using trend lines but this may work better.

So i need some formula that calculates the number of events from a previous 24 hours i am guessing the avg command and then compares this to current day so i want to see the trends but also want to know if and when this log is not working for some reason. thanks C.

Re: Simple question about timecharts

richgalloway — Wed, 12 Jul 2017 15:16:15 GMT

This question is more than 5 years old and has an accepted answer so you're unlikely to get an answer. You should post a new question.

Re: Simple question about timecharts

colinmchugo — Wed, 12 Jul 2017 16:38:54 GMT

thanks Rich i tried that and nobody answered but ill try again thanks.