Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Line Chart with a day wise usage count
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
12-04-2017
02:19 AM
I want to know how frequently a keyword is found(from the list of events) and see it in a time chart.
This is the search I am using, I am not sure if I am using it correct .
And there is a null line found in the line chart.
host= "HostA" or "HostB" "videostreamed"
| eval view=if(like(_raw,"%videostreamed%"),"Prime_Streamed"
| timechart span=1d count by view
I want to know the amount of events generated with the key word "videostreamed" based on the base-search I have, on a daily basis in a line chart.
Example : if the linechart has a spike on Monday, It should mean more events found with the videostreamed
The more the number of events, the higher is the usage that day.
I hope I am clear with my explanation
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
12-04-2017
03:06 AM
I think that this alone is good.
host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count
Do you also need a number that does not match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
12-04-2017
07:12 PM
I think this:
host= "HostA" or "HostB"
| timechart span=1d count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view
Or, probably you'd like this better:
host= "HostA" or "HostB"
| bucket _time span=1d
| stats count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view_time
| eval pct = 100 * Prime_Streamed / count
| timechart span=1d avg(pct) AS pct BY view
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppuru
Path Finder
12-04-2017
03:25 AM
You may want to consider assigning a number to it.
index=* | eval Text_Found = if(like(_raw,"%GET%"),"1","0") | where Text_Found=1 | timechart span=1m count by Text_Found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
12-04-2017
03:06 AM
I think that this alone is good.
host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count
Do you also need a number that does not match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
12-04-2017
03:08 AM
yes, That would help too.
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
