Solved: How can I group time in buckets for stacked bar ch... - Splunk Community

Dashboards & Visualizations

I have a simple query that produces a stacked bar chart as follows:

index=xxx
| table time, info_owner_deptBusiness, avg_data_residualRisk_max
| chart count(avg_data_residualRisk_max) over time by info_owner_deptBusiness

I would like to group my events by "time" in buckets of 5 minute intervals. My time stamps look like this:

2017-12-20T00:40:08.701+0000

How can I accomplish this while preserving the stacked bar chart visualization?

1 Solution

Solution

Try this:

index=xxx 
| bin span=5m _time 
| chart count(avg_data_residualRisk_max) over _time by info_owner_deptBusiness

View solution in original post

Solution

Try this:

index=xxx 
| bin span=5m _time 
| chart count(avg_data_residualRisk_max) over _time by info_owner_deptBusiness

Perfect, thank you!

Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars Sometimes, you just need to see the code. For those looking for a ...