Dashboards & Visualizations

How to timechart by multiple time spans in a dashboard?

Explorer

I want two charts in a dashboard - the count of an event by week and by day. Currently I have two scheduled searches:
Daily: | timechart span=1d count
Weekly: | timechart span=1w count

Is there a way that I can use the output of the daily search to do the aggregation? Something like
|loadjob savedsearch="Daily Query"

Tags (3)
1 Solution

Builder

Yes, you could... give a try creating your saved search, something like this:

index="bla" "your search" | bucket bin=1d _time | stats count by _time

Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count

Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.

Hope it helps...
Cheers,

View solution in original post

Community Manager
Community Manager

Hi @alchang

Just following up with this post, but did @musskopf's answer and comment below fully answer your question? If yes, don't forget to resolve this post by clicking "Accept" directly below the answer. Thanks!

0 Karma

Builder

Yes, you could... give a try creating your saved search, something like this:

index="bla" "your search" | bucket bin=1d _time | stats count by _time

Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count

Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.

Hope it helps...
Cheers,

View solution in original post

Explorer

Thanks! A related feature I'd like to add is let's suppose that I have daily for the past 30 days, but I want to just add up the weekly for the past two weeks. I tried

| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count | where _time>"2015-02-17" and that didn't do anything.

0 Karma

Builder

Don't have any Splunk instance in front of me to test, but the "_time" is actually in seconds, Splunk only has a macro that converts to a readable format if the field name is "_time", so it should looks more like:

| loadjob savedsearch="Daily Query" | where _time>(strptime("2015-02-17", "%F")) | timechart span=1w sum(count) as count

The strptime converts a humam format to timestamp (epoch). Have a look here to see the formats it accepts: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!