- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- how to pass time span in datamodel
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have few data model, but we are not able to pass the span / PERIOD other then default values. this is creating problem as we are not able to put different bucket options (1m, 10 m, 1 h ...) and our chart data is exceeding more then 1000 points. here is simple data model query
| pivot DataModel_ABC perf count(TPS) AS "tps" sum(execTime) AS "execTime" SPLITROW _time AS _time PERIOD auto SPLITROW host AS hostname
Please let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Today I was working on similar requirement.. so here is example how you can use accelerated datamodel and create timechart with custom timespan using tstats command. You can't pass custome time span in Pivot.
index=abc earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 | timechart span=2m count
The equivalent is using tstats is
| tstats count where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 index=abc groupby _time span=1m
For you requirement with datamodel name DataModel_ABC, use the below command
| tstats count from datamodel=DataModel_ABC where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 groupby _time span=2m
Hope this will help all splunkers and you too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works with some workaround on data model , here is new query
| tstats sum(ABC.time) as time FROM datamodel=DataModel_ABC groupby ABC.id,_time|| timechart avg(time) as time by id
however, I was using post processing in my dashboard. so now I have to write one direct query in dashboard.
second avg time value I am not able to round up, as after this search round function is not working, may be I am missing something
eval time=round(time,2)
third, I am plotting TPS, but using this model and printing below query doesn't give right information on data model.
| eval count=1 | timechart per_second(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Today I was working on similar requirement.. so here is example how you can use accelerated datamodel and create timechart with custom timespan using tstats command. You can't pass custome time span in Pivot.
index=abc earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 | timechart span=2m count
The equivalent is using tstats is
| tstats count where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 index=abc groupby _time span=1m
For you requirement with datamodel name DataModel_ABC, use the below command
| tstats count from datamodel=DataModel_ABC where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 groupby _time span=2m
Hope this will help all splunkers and you too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem, and hope to get a solution.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
