Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apply a factor to count in timechart

splunkprimeriti
Explorer
‎02-08-2014 12:59 AM

Hi.

I'm triying to correlate in a time chart number of visits with average response time but time is in milisecons and visits in thousands, so y want to aply a factor to count thousands instead of visits, but seems I can not apply directly to a count. I also tried to eval it previously but still getting invalid command.

so how do I apply a factor to a count in order to reduce its magnitude for a timechart? I'm using splunkstorm

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-08-2014 09:43 AM

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-08-2014 09:43 AM

Try this workaround. Assumming your original query is like this (giving count in 1000's and you want to apply a factor fct to reduce the magnitude of values.
Orig:

index=XX sourcetype=YY | timechart span=NN count by somefield

Updated:

index=XX sourcetype=YY | bucket span=NN _time | stats count by somefield,_time | timechart sum(eval(count/fct)) as count by somefield | makecontinous _time span=NN
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-08-2014 02:19 AM

How did you try eval? That's probably how you would achieve this.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...