I haven't seen much on creating a bell curve in Splunk. I've created a query that returns 30,000 events for 40+ associates over a month. Each event contains the number of minutes they've worked a specific activity. I then use stats to sum the time each associate works:
stats sum(hoursWorked) by Associate
but I want to use bins to create a bell curve to show the "normal" distribution of each associate's work. I have tried several ways with no success. I'm basically trying to show the number of associates that fall into each bin of number of hours worked.
I want it to be something like:
bin span=5 hoursWorked |
stats count(sum(hoursWorked) by Associate) by hoursWorked
but I realize I'm trying to count a table there. Help?
If you want to chart the distribution of monthly sums, you can do this:
stats sum(hoursWorked) as hours by Associate
| bin span=5 hours
| stats count by hours
That will give you a chart with the number of Associates per five-hour spans of monthly work.
If you want to chart the distribution of monthly sums, you can do this:
stats sum(hoursWorked) as hours by Associate
| bin span=5 hours
| stats count by hours
That will give you a chart with the number of Associates per five-hour spans of monthly work.
You can add a | sort hours
, which should use a more natural sorting order than stats
.
Thank you ... this worked fairly well, but for one small problem. The bins are treated as strings, which means that, when graphed, it shows the bin "5-10" (hours) after the bin "25-30"
And this is exacerbated if I make the bins for 1 hour spreads.
Any idea how I can fix that?
Got it. Removed the bins, then did chart count span={}