Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

graph or report based on value?

tinhuty
Engager
‎12-02-2011 02:15 PM

new to splunk, sorry if this is trivial.

by default the timeline graph are draw based on number of occurrence. I want something different.

say my log entry are like this:

Timestamp=2011/11/30 15:31:32.424, Timespent=0.4063
Timestamp=2011/11/30 15:24:16.653, Timespent=1.0156
Timestamp=2011/11/30 15:17:01.522, Timespent=0.4219
Timestamp=2011/11/30 15:09:28.907, Timespent=0.1250
Timestamp=2011/11/30 15:02:09.526, Timespent=0.1406
Timestamp=2011/11/30 14:55:10.615, Timespent=0.6875

1). is it possible to create report/graph using Timestamp field as X-axis and Timespent field as Y-axis?
2). how to create report that shows number of records(or percentage) that Timespent values are between 0-0.5 and 0.5-1.0 etc?

Thanks.

Tags (1)
0 Karma
Reply

Ayn
Legend
‎12-02-2011 02:28 PM

Sure. Use timechart!

First, some explanation on how timechart behaves: timechart needs some kind of statistical function that returns a unique value for the timespan it's operating on. If you don't define the timespan yourself it will be set dynamically depending on what timerange the whole search spans, but let's take an example where the timespan is 1 minute and that somewhere in your log you have 3 of these events occurring within 1 minute. Splunk needs to know how to give you ONE value for "Value", even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg:

... | timechart span=1m avg(Timespent) as Timespent

Or, if you only want the values from the first of the events within the time period, use first instead of avg. Want the sum? Use sum. And so on. More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

There's also a second way to do this, which is to produce a table containing timestamps and values yourself and then feed them into the chart.

... | table _time Timespent

As for the second question, you can achieve this by using bucket to divide Timespend into the intervals you want. Like this:

... | bucket Timespent span=0.5 | stats count by Timespent
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...