Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a bar chart for dashboard displaying count on 1st of every month for past year?

rk1165
Loves-to-Learn Lots
‎07-04-2022 04:24 AM

I want to create a bar plot which displays the total number of events on the 1st of every month for the last 12 months. I can't query data for the last 12 months because search timeouts in 5 minutes as we have billions of events.

Is there a way we can do this using timechart or other mechanism?

Thanks

Labels (2)
Labels
0 Karma
Reply

smurf
Communicator
‎07-04-2022 04:44 AM

If you are looking only for the total number of events, you could use tstats. Searching through metadata tends to be quite fast, but could still time-out.

Another possibility would be using summaries. You could schedule a search to run every day/week/month to run for the specific period and have the visualization search run on the summary data.

You can find more about summary indexing here: Use summary indexing for increased search efficiency - Splunk Documentation

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2022 04:44 AM

You could try using metasearch if all you want is counts based on a restricted set of fields

metasearch - Splunk Documentation

You could also restrict your time period to the first of every month

index ... (earliest=-12mon@d latest=-12mon@d+1d) OR (earliest=-11mon@d latest=-11mon@d+1d) OR ...

 You could create summary index entries for each month and query those.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...