Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Cloud Platform
- :
- Chaining from a timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I know from the docs that the base of a chained search should be a transforming command, such as stats or timechart. However I cannot figure out how to make timechart work. I want to have 2 visualizations on my dashboard: one that is a timechart (visualized as lines) and another that shows the totals for each line or bar over the entire range. (It would also be ok to integrate the total into the timechart/linechart but I haven't been able to figure that out, either.)
Here is the timechart that I'm trying to use as my base:
...| timechart count by kubernetes.pod_name
This works as expected. Now I want to show a table of the totals for each pod. IOW, if the counts were 100, 120, and 200 for 3 time periods for a single pod, I want one row that shows 420 for that pod:
| stats sum(count) by kubernetes.pod_name
This does not produce any output. I think the issue might be kubernetes.pod_name, but I don't know what the output fields of timechart are called.
I have also tried using just the initial search as the base and having 2 chained searches-- one for timechart and one for stats-- but I run in to the event limit.
How can I chain from timechart?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using the stats "trick" mentioned by bowesmana here:
Specifically I added this to my base search:
stats count by _time,kubernetes.pod_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up using the stats "trick" mentioned by bowesmana here:
Specifically I added this to my base search:
stats count by _time,kubernetes.pod_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to see the old posts still have value 😊
Just a minor addition to consider - timechart will create buckets of _time depending on the time period you are looking at, so if you are searching a week, it will give you 1 day buckets and if you search 24h it will give you 30 minute buckets.
When you do stats by _time if you have lots of data per second, then your stats will generate a lot of results, so if you do use the stats technique mentioned, it's worth considering a
| bin _time span=Xto define the bucket. If you don't know in advance what bucket size you want, but know what your minimum would be, e.g. 1h, then add in span=1h simply to reduce the volume. So if you had 1 million events per hour, if you don't do the bin, you would exceed the base search result set, whereas with span=1h you would get a single result per hour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run the base search interactively and notice the fields produced. You should see the timechart fields don't match those expected by stats.
I suggest changing the base search to stop immediately before the timechart command. Then have two chained searches - one for timechart and one for stats.
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
