Archive
Highlighted

How do I chart rare values?

Engager

Hello!

I'm fairly new to Splunk, and I'm using my Minecraft server logs to chart some data. I am having a hard time charting rare values. Here is the search I'm trying:

index=minecraft action=blockbroken
| rare block
type
| chart count(blocktype) over player by blocktype useother=f

This does not work. I know I'm doing this incorrectly, but I'm not sure how, exactly. Any tips would be greatly appreciated!

Tags (1)
0 Karma
Highlighted

Re: How do I chart rare values?

Legend

Hi jonkeiser,
after rare command you have only three fields: block_type, count and percent; so you don't have field "player" more.
You should use a different approach, something like

index=minecraft action=block_broken
| chart count(block_type) over player by block_type useother=f

Bye.
Giuseppe

0 Karma
Highlighted

Re: How do I chart rare values?

Engager

This won't return the rare values, though, which is what I need. I am already using that search to return the top values.

0 Karma