- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
So currently I have a trendline like below...
But I need to have the visual in a way where it shows the stats sum(books) for another date which shows the trend of what it was 4 weeks ago for the stats sum (books) and what it is currently, i tried using span but what that does is it shows me how many books for that particular day and not the stats sum(books) in total. I need something like below.. any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you are right - try this
| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)
Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| timechart sum(books) span=4w
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer Hello, i tried this but the issue with this is that it is not counting the sum(books) as the total it is only counting the sum(books) total for that particular day.,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share the complete SPL you are using when you say it is only counting for a particular day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ITWhisperer
index=.....
| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=24h sum(Books) as Total_Books_Read
| search Total_Books_Read!="null"
the search is running for the last 24 hours..
So i am getting a visual(trendline) that has 524,900 for sum(books)for the last 24 hours but i need a visual that shows the sum(books) every 4 weeks, for the last year. but when i use span=4w for example and have the search run for last year it shows the sum(books) only for that particular day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given
| stats latest(bookName) by id bookNumber _time
Then all the counts given by
| stats dc(bookNumber ) as Books by id _time
will be 1, therefore you just need to count the events from the first stats line by time.
index=.....
| stats latest(bookName) by id bookNumber _time
| timechart span=4w count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot really do that as i need the stats sum(books) because for example the books field might have 8, its not always one henceforth that is why i am using stats sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you are right - try this
| stats latest(bookName) by id bookNumber _time
| stats dc(bookNumber ) as Books by id _time
| table id Books _time
| timechart span=4w sum(Books)
Note that the date used will be the start of the 4 week period but still contains the sum of all the days in that period.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically you want to search for both time ranges you are making comparison for, then do something like
| timechart sum(Books) span=1mon
| timewrap 1y
to wrap the time periods over a 1year period (I see your example shows a monthly figure for another period - so assume it's a 1y comparison)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this did not work 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your current query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bowesmana My current query is as below:
| timechart span=24h sum(Books) as Total_Books
| search Total_Books!="null"