Archive

Timechart as VS Timechart by

Path Finder

Over the last 3 days I was trying to create dashboard with single value + trends.

The query was something like this:

  • | dedup 1 src | timechart count by src

The goal was to get total number of src based on dashboard time range (before talking about the trends).

right now, by mistake (must be honest), I changed the query so I replaced the word by with as and it seems to work but not perfectly - when I change the time range to all time i expect to see all events but I get only one of them (although there are 5 events in results):

Can someone please tell me why I got confused and to translate my goal above into query correctly for next time?

Thanks

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

If you are looking for the total number of different srcs in any given time period, then use this

  | timechart dc(src) 
0 Karma

Path Finder

@DalJeanis
next to events tab I still see 5 but when I visualize it using single value, I see only 1

0 Karma

SplunkTrust
SplunkTrust

Hi @shayhibah,

so what you are doing with your first search will split the timechart count by your Source IP.
So you basically count e.g. every hour how many Source IPs have been seen and split this value by each unique Source IP.

When using AS or as instead of by you are renaming the count field as "src"
You are now creating a count of all the Source IPs that where seen in e.g. an hour over time.

0 Karma

Path Finder

@pyro_wood
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

0 Karma

Path Finder

With "by src" you have 1 result per event, it's not one value.
With "as src" you have 1 "count" result renamed in "src".

0 Karma

Path Finder

@andreacorvini
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5

0 Karma

Path Finder

| timechart count as src is the right code (count of "src" events renamed in "src").

If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src").

0 Karma

Path Finder

Yes, you see 1 "count" field with value=5. No?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!