- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- RAW Time series for a specific field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right now I have a query or a search as follows: index=main earliest=" + earliestDate + " latest=" + latestDate + " |bucket _time span=" + bucketSize + " | stats avg(" + attribute + ") as Value by _time
However I would like to be able to get the RAW data without applying any buckets or averages (So what I basically want is to retrieve the time series data of a specific field. value and timestamp pairs)
I have tried modifying that query a bit but haven't been able to get something working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone wondering this is how I got the desired result:
| table _time field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone wondering this is how I got the desired result:
| table _time field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think your SPL is correct. Are you trying to put dynamic values into your main search?
Try something like below
index=main earliest=-24h
|timechart span=1h count by SomeFieldYouRequire
Please replace the field name accordingly
Or if you give sample data and what output you need, we can write for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lets say I have a field name AvailableMemory. I want to get every value of that field with its corresponding timestamp within a timespan (using earlist and latest)
Does that make more sense now?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
agree, but the extraction depends on your data. So would be better if you put some sample data
meantime, please try
index=main earliest=-24h latest=-1h
|timechart span=1h count by AvailableMemory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did try that, but it returns the fields like this:
https://imgur.com/rRHQ56f
but i want it to return like this:
https://imgur.com/5UWSToM
the problem with tthe second one is that its in time buckets and with average, i want the raw values
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
