Splunk Search

Can you help me with the following timechart query?

atulitm
Path Finder
index=X sourcetype=X source=X  | timechart first(percentage_allocation) as percentage_allocation by devicename

I am facing an issue with the following query, in case, where there are multiple logs with a different variable named "link" and I would like to use that as a data search like :

devicename=a percentage_allocation=1 link=a
devicename=a percentage_allocation=2 link=a
devicename=a percentage_allocation=3 link=b

Above query will look for the first log of percentage_allocation by devicename in that month and show percentage allocation, but i would like to make sure it shows me on a basis of different links as well, but I can't see any option to use any function to get data on a basis of new variable which is "link" in timechart as it allows only BY keyword and OVER is already for time.

Can i use a 3rd variable as a data qualifier?

Tags (1)
0 Karma
1 Solution

kmaron
Motivator

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link

View solution in original post

0 Karma

kmaron
Motivator

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link
0 Karma

atulitm
Path Finder

This works like charm . I didnt knew i can use timechart command like that too . Thanks for help .

0 Karma

HiroshiSatoh
Champion

can not·

Can you substitute BIN and STATS for example?

index=X sourcetype=X source=X 
| bin span=XX _time
| stats first(percentage_allocation) as percentage_allocation by _time,devicename,link
0 Karma

atulitm
Path Finder

This stats query doesnt work as i am expecting output in chart .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...