Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RAW Time series for a specific field

artrune
Path Finder
‎05-08-2019 01:22 PM

Right now I have a query or a search as follows: index=main earliest=" + earliestDate + " latest=" + latestDate + " |bucket _time span=" + bucketSize + " | stats avg(" + attribute + ") as Value by _time
However I would like to be able to get the RAW data without applying any buckets or averages (So what I basically want is to retrieve the time series data of a specific field. value and timestamp pairs)
I have tried modifying that query a bit but haven't been able to get something working.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

artrune
Path Finder
‎05-13-2019 08:21 AM

For anyone wondering this is how I got the desired result:

   | table _time field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

artrune
Path Finder
‎05-13-2019 08:21 AM

For anyone wondering this is how I got the desired result:

   | table _time field
0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-08-2019 02:17 PM

I don't think your SPL is correct. Are you trying to put dynamic values into your main search?

Try something like below

index=main earliest=-24h 
|timechart span=1h count by SomeFieldYouRequire

Please replace the field name accordingly
Or if you give sample data and what output you need, we can write for you

0 Karma
Reply
Solved! Jump to solution

artrune
Path Finder
‎05-08-2019 02:23 PM

Lets say I have a field name AvailableMemory. I want to get every value of that field with its corresponding timestamp within a timespan (using earlist and latest)
Does that make more sense now?

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-08-2019 03:00 PM

agree, but the extraction depends on your data. So would be better if you put some sample data

meantime, please try

index=main earliest=-24h latest=-1h
 |timechart span=1h count by AvailableMemory
0 Karma
Reply
Solved! Jump to solution

artrune
Path Finder
‎05-08-2019 06:10 PM

I did try that, but it returns the fields like this:
https://imgur.com/rRHQ56f
but i want it to return like this:
https://imgur.com/5UWSToM
the problem with tthe second one is that its in time buckets and with average, i want the raw values

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...