Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with the following timechart query?

atulitm
Path Finder
‎12-11-2018 03:25 AM 
index=X sourcetype=X source=X  | timechart first(percentage_allocation) as percentage_allocation by devicename

I am facing an issue with the following query, in case, where there are multiple logs with a different variable named "link" and I would like to use that as a data search like : 

devicename=a percentage_allocation=1 link=a
devicename=a percentage_allocation=2 link=a
devicename=a percentage_allocation=3 link=b

Above query will look for the first log of percentage_allocation by devicename in that month and show percentage allocation, but i would like to make sure it shows me on a basis of different links as well, but I can't see any option to use any function to get data on a basis of new variable which is "link" in timechart as it allows only BY keyword and OVER is already for time.

Can i use a 3rd variable as a data qualifier?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎12-11-2018 01:20 PM

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎12-11-2018 01:20 PM

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link
0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎12-14-2018 03:13 AM

This works like charm . I didnt knew i can use timechart command like that too . Thanks for help .

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎12-11-2018 03:38 AM

can not·

Can you substitute BIN and STATS for example?

index=X sourcetype=X source=X 
| bin span=XX _time
| stats first(percentage_allocation) as percentage_allocation by _time,devicename,link
0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎12-14-2018 03:12 AM

This stats query doesnt work as i am expecting output in chart .

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...