Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Graphing off Tstats - total mental block

aymonfoa
Engager
‎12-04-2023 08:42 AM

Got a search like this (I've obfuscated it a bit)

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")

Got a great looking stats table - and Im really pleased with the performance of tstats - awesome.

I want to graph the results... easy right?  well no - I cannot for the life of me seem to break down a say, 60 minute span down by host, despite the fact I got this awesome oven ready totally graphable stats table

so I am trying 

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart count by host

but the count is counting the host, whereas I want to "count the count" ?  Any ideas?  this will be a super simple one I expect - I got a total mental block on this

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2023 01:42 PM

You can either use the prestats option as @richgalloway suggests, or the alternative way is to use count in tstats, then sum(count) in timechart, i.e.

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart sum(count) by host

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2023 01:42 PM

You can either use the prestats option as @richgalloway suggests, or the alternative way is to use count in tstats, then sum(count) in timechart, i.e.

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart sum(count) by host

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2023 10:34 AM

Add the prestats option to the tstats command.  That will format the results for timechart to use.

| tstats prestats=t count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart count by host

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...