I want two charts in a dashboard - the count of an event by week and by day. Currently I have two scheduled searches:
Daily: | timechart span=1d count
Weekly: | timechart span=1w count
Is there a way that I can use the output of the daily search to do the aggregation? Something like
|loadjob savedsearch="Daily Query"
Yes, you could... give a try creating your saved search, something like this:
index="bla" "your search" | bucket bin=1d _time | stats count by _time
Your saved search will endup with a stats by day. After that you could use the loadjob
from that scheduled search use the timechart, like you mentioned:
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count
Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum()
for this example. The same would work if you use span=1d
... and you still can keep the sum()
as being the aggregating function.
Hope it helps...
Cheers,
Hi @alchang
Just following up with this post, but did @musskopf's answer and comment below fully answer your question? If yes, don't forget to resolve this post by clicking "Accept" directly below the answer. Thanks!
Yes, you could... give a try creating your saved search, something like this:
index="bla" "your search" | bucket bin=1d _time | stats count by _time
Your saved search will endup with a stats by day. After that you could use the loadjob
from that scheduled search use the timechart, like you mentioned:
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count
Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum()
for this example. The same would work if you use span=1d
... and you still can keep the sum()
as being the aggregating function.
Hope it helps...
Cheers,
Thanks! A related feature I'd like to add is let's suppose that I have daily for the past 30 days, but I want to just add up the weekly for the past two weeks. I tried
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count | where _time>"2015-02-17" and that didn't do anything.
Don't have any Splunk instance in front of me to test, but the "_time" is actually in seconds, Splunk only has a macro that converts to a readable format if the field name is "_time", so it should looks more like:
| loadjob savedsearch="Daily Query" | where _time>(strptime("2015-02-17", "%F")) | timechart span=1w sum(count) as count
The strptime
converts a humam format to timestamp (epoch). Have a look here to see the formats it accepts: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables