https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313280#M93780 <P>How about this?</P> <PRE><CODE>... | eval hour=strftime(_time,"%H") | streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type| timechart max(dc_vid) by vehicle_type fixedrange=false </CODE></PRE> <P>OR</P> <PRE><CODE>... | eval hour=vehicle_type.":".strftime(_time,"%H") | streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type| timechart max(dc_vid) by hour fixedrange=false </CODE></PRE> Thu, 06 Apr 2017 01:13:06 GMT somesoni2 2017-04-06T01:13:06Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313279#M93779 <P>I currently have a search:</P> <PRE><CODE>... | eval hour=strftime(_time,"%H") | streamstats time_window=1h dc(vehicle_id) AS dc_vid | timechart max(dc_vid) by hour fixedrange=false </CODE></PRE> <P>This correctly produces the number of distinct vehicles on a particular route by hour.</P> <P>But now assume that there are two different vehicle types: bus and streetcar. So I want to modify the chart to show the same thing, but each bar should be a stacked bar composed of the number of distinct vehicles by <CODE>vehicle_type</CODE> by hour.</P> <P>I've tried all manner of fiddling with the search and I can't seem to get it.</P> <P>BTW: the existing search shows each hour as a different colored bar. I don't actually care about that. For the new chart, two colors would be fine (one for each vehicle type in the stacked bar).</P> Wed, 05 Apr 2017 22:25:18 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313279#M93779 plucas_splunk 2017-04-05T22:25:18Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313280#M93780 <P>How about this?</P> <PRE><CODE>... | eval hour=strftime(_time,"%H") | streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type| timechart max(dc_vid) by vehicle_type fixedrange=false </CODE></PRE> <P>OR</P> <PRE><CODE>... | eval hour=vehicle_type.":".strftime(_time,"%H") | streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type| timechart max(dc_vid) by hour fixedrange=false </CODE></PRE> Thu, 06 Apr 2017 01:13:06 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313280#M93780 somesoni2 2017-04-06T01:13:06Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313281#M93781 <P>Like this:</P> <PRE><CODE>... | eval vehicle_type=case(PUT YOUR STUFF HERE) | timechart span=1h dc(vehicle_id) AS dc_vid BY vehicle_type </CODE></PRE> Thu, 06 Apr 2017 02:23:45 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313281#M93781 woodcock 2017-04-06T02:23:45Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313282#M93782 <P>Neither of those works.</P> Thu, 06 Apr 2017 02:42:15 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313282#M93782 plucas_splunk 2017-04-06T02:42:15Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313283#M93783 <P>This pretty much works. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 06 Apr 2017 02:46:19 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313283#M93783 plucas_splunk 2017-04-06T02:46:19Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313284#M93784 <P>There is value in simplicity, even if it is not a <EM>perfect</EM> fit.</P> Thu, 06 Apr 2017 03:09:44 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-by-hour-by-type/m-p/313284#M93784 woodcock 2017-04-06T03:09:44Z