Solved: Splunk Timechart span

Splunk3 · ‎01-04-2022

Hi I am trying to count the number of jobs till now and want to show the daily trend using timechart command. Not able to get , may be I am messing up with span option

for eg.. total jobs executed till now is 100 and there is trend of 10 jobs increased today

tomorrow it should show 110 and trend of tomorrows increase job

command - index=.......... projects="*" job_id="*" | dedup job_id | timechart span=60d count

In picture you can see that total events are shown 1688 , I need that as single value and daily trend over it

ITWhisperer · ‎01-04-2022

index=_internal 
| bin _time span=1d 
| sort 0 _time
| stats count by _time
| streamstats sum(count) as total
| table _time total

View solution in original post

Splunk3 · ‎01-04-2022

Yes, but here I need total no of jobs executed till now i.e 1688 in this case( see the total no of events ) and on that I want daily trend

ITWhisperer · ‎01-04-2022

index=_internal 
| bin _time span=1d 
| sort 0 _time
| stats count by _time
| streamstats sum(count) as total
| table _time total

Splunk3 · ‎01-04-2022

Thank you it worked -:)

ITWhisperer · ‎01-04-2022

Shouldn't span=1d if you want daily trends?

Splunk Timechart span

chart

timechart

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!