Splunk Search

Can you help me with the following timechart query?

atulitm
Path Finder
index=X sourcetype=X source=X  | timechart first(percentage_allocation) as percentage_allocation by devicename

I am facing an issue with the following query, in case, where there are multiple logs with a different variable named "link" and I would like to use that as a data search like :

devicename=a percentage_allocation=1 link=a
devicename=a percentage_allocation=2 link=a
devicename=a percentage_allocation=3 link=b

Above query will look for the first log of percentage_allocation by devicename in that month and show percentage allocation, but i would like to make sure it shows me on a basis of different links as well, but I can't see any option to use any function to get data on a basis of new variable which is "link" in timechart as it allows only BY keyword and OVER is already for time.

Can i use a 3rd variable as a data qualifier?

Tags (1)
0 Karma
1 Solution

kmaron
Motivator

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link

View solution in original post

0 Karma

kmaron
Motivator

you could use an eval to combine your devicename and link into one field then do a timechart

index=X sourcetype=X source=X 
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link
0 Karma

atulitm
Path Finder

This works like charm . I didnt knew i can use timechart command like that too . Thanks for help .

0 Karma

HiroshiSatoh
Champion

can not·

Can you substitute BIN and STATS for example?

index=X sourcetype=X source=X 
| bin span=XX _time
| stats first(percentage_allocation) as percentage_allocation by _time,devicename,link
0 Karma

atulitm
Path Finder

This stats query doesnt work as i am expecting output in chart .

0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...