Splunk Search

Chart based on # of events

Path Finder

I want to create charts based on number of results. I have tried

"172.20.3.6 (199.0.8.62 OR 199.0.8.57) StoresOutBound | timechart count by ATMs" (ATMs being a searchable field).

The problem is it then separates the chart into the top 10 or so results. I have tried
"172.20.3.6 (199.0.8.62 OR 199.0.8.57) StoresOutBound | timechart count by Events" (Events just being a random word).

This actually works, but then the results are labeled as a null value. I am looking to create a time chart based on number of events.

Tags (3)
0 Karma
1 Solution

Path Finder

172.20.3.6 (199.0.8.62 OR 199.0.8.57) StoresOutBound | timechart count by Events | rename null as Events

View solution in original post

0 Karma

Path Finder

172.20.3.6 (199.0.8.62 OR 199.0.8.57) StoresOutBound | timechart count by Events | rename null as Events

View solution in original post

0 Karma

Communicator

same question here

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!