Solved: Re: Apply a factor to count in timechart

splunkprimeriti · ‎02-08-2014

Hi.

I'm triying to correlate in a time chart number of visits with average response time but time is in milisecons and visits in thousands, so y want to aply a factor to count thousands instead of visits, but seems I can not apply directly to a count. I also tried to eval it previously but still getting invalid command.

so how do I apply a factor to a count in order to reduce its magnitude for a timechart? I'm using splunkstorm

somesoni2 · ‎02-08-2014

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

View solution in original post

somesoni2 · ‎02-08-2014

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

Ayn · ‎02-08-2014

How did you try eval? That's probably how you would achieve this.

Apply a factor to count in timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation