Dashboards & Visualizations

How to create a bar chart for dashboard displaying count on 1st of every month for past year?

rk1165
Loves-to-Learn Lots

I want to create a bar plot which displays the total number of events on the 1st of every month for the last 12 months. I can't query data for the last 12 months because search timeouts in 5 minutes as we have billions of events.

Is there a way we can do this using timechart or other mechanism?

Thanks

Labels (2)
0 Karma

smurf
Communicator

If you are looking only for the total number of events, you could use tstats. Searching through metadata tends to be quite fast, but could still time-out.

Another possibility would be using summaries. You could schedule a search to run every day/week/month to run for the specific period and have the visualization search run on the summary data.

You can find more about summary indexing here: Use summary indexing for increased search efficiency - Splunk Documentation

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try using metasearch if all you want is counts based on a restricted set of fields

metasearch - Splunk Documentation

You could also restrict your time period to the first of every month

index ... (earliest=-12mon@d latest=-12mon@d+1d) OR (earliest=-11mon@d latest=-11mon@d+1d) OR ...

 You could create summary index entries for each month and query those.

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...