Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apply a factor to count in timechart

splunkprimeriti
Explorer
‎02-08-2014 12:59 AM

Hi.

I'm triying to correlate in a time chart number of visits with average response time but time is in milisecons and visits in thousands, so y want to aply a factor to count thousands instead of visits, but seems I can not apply directly to a count. I also tried to eval it previously but still getting invalid command.

so how do I apply a factor to a count in order to reduce its magnitude for a timechart? I'm using splunkstorm

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-08-2014 09:43 AM

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-08-2014 09:43 AM

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-08-2014 02:19 AM

How did you try eval? That's probably how you would achieve this.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...