Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to timechart by multiple time spans in a dashboard?

alchang
Explorer
‎03-04-2015 05:13 PM

I want two charts in a dashboard - the count of an event by week and by day. Currently I have two scheduled searches:
Daily: | timechart span=1d count
Weekly: | timechart span=1w count

Is there a way that I can use the output of the daily search to do the aggregation? Something like
|loadjob savedsearch="Daily Query"

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

musskopf
Builder
‎03-04-2015 05:46 PM

Yes, you could... give a try creating your saved search, something like this:

index="bla" "your search" | bucket bin=1d _time | stats count by _time

Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count

Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.

Hope it helps...
Cheers,

View solution in original post

Reply
Solved! Jump to solution

ppablo
Retired
‎03-16-2015 12:33 PM

Hi @alchang

Just following up with this post, but did @musskopf's answer and comment below fully answer your question? If yes, don't forget to resolve this post by clicking "Accept" directly below the answer. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

musskopf
Builder
‎03-04-2015 05:46 PM

Yes, you could... give a try creating your saved search, something like this:

index="bla" "your search" | bucket bin=1d _time | stats count by _time

Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count

Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.

Hope it helps...
Cheers,

Reply
Solved! Jump to solution

alchang
Explorer
‎03-05-2015 10:18 AM

Thanks! A related feature I'd like to add is let's suppose that I have daily for the past 30 days, but I want to just add up the weekly for the past two weeks. I tried

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count | where _time>"2015-02-17" and that didn't do anything.

0 Karma
Reply
Solved! Jump to solution

musskopf
Builder
‎03-08-2015 03:09 PM

Don't have any Splunk instance in front of me to test, but the "_time" is actually in seconds, Splunk only has a macro that converts to a readable format if the field name is "_time", so it should looks more like:

| loadjob savedsearch="Daily Query" | where _time>(strptime("2015-02-17", "%F")) | timechart span=1w sum(count) as count

The strptime converts a humam format to timestamp (epoch). Have a look here to see the formats it accepts: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...