Solved: Splunk Timechart span

Splunk3 · ‎01-04-2022

Hi I am trying to count the number of jobs till now and want to show the daily trend using timechart command. Not able to get , may be I am messing up with span option

for eg.. total jobs executed till now is 100 and there is trend of 10 jobs increased today

tomorrow it should show 110 and trend of tomorrows increase job

command - index=.......... projects="*" job_id="*" | dedup job_id | timechart span=60d count

In picture you can see that total events are shown 1688 , I need that as single value and daily trend over it

ITWhisperer · ‎01-04-2022

index=_internal 
| bin _time span=1d 
| sort 0 _time
| stats count by _time
| streamstats sum(count) as total
| table _time total

View solution in original post

Splunk3 · ‎01-04-2022

Yes, but here I need total no of jobs executed till now i.e 1688 in this case( see the total no of events ) and on that I want daily trend

ITWhisperer · ‎01-04-2022

index=_internal 
| bin _time span=1d 
| sort 0 _time
| stats count by _time
| streamstats sum(count) as total
| table _time total

Splunk3 · ‎01-04-2022

Thank you it worked -:)

ITWhisperer · ‎01-04-2022

Shouldn't span=1d if you want daily trends?

Splunk Timechart span

chart

timechart

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!