Splunk Search

Display a time chart for the distinct count of values in a field

veerappan
New Member

I am beginner to Splunk and could you help me with the following scenario.

Lets take I have a table with the field name "Computer".

The field Name "Computer" when searched for different time period gives me different values.

When I search for April the result is : a,b,c,d,c
When I search for May the result is : a,b,c,d,e,f,a,b

So the distinct count for April is 4 and for May is 6.

I would like to create a chart which shows the following.

April - 4
May - 6

What search query could I use to display such a chart which shows me the distinct count of field "Computer" on a monthly basis.

Thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The timechart command has a function for that purpose called distinct_count (usually, the dc abbreviation is used).

For example:

index=foo Computer=* | timechart span=1mon dc(Computer)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

veerappan
New Member

Thanks @richgalloway for the answer.

Probably can you help me with one more question ?

If I have two different search criteria like the following
index=foo host = abc Computer=* | timechart span=1mon dc(Computer)
index= foo host = xyz Computer=* | timechart span=1mon dc(Computer)

Can I integrate both of these into a same chart ?
I would like display the results of different criteria as different columns in the same chart. Is that possible with the above query ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

index=foo (host=abc OR host=xyz) Computer=* | timechart span=1mon dc(Computer) by host
---
If this reply helps you, Karma would be appreciated.
0 Karma

veerappan
New Member

Thanks it works perfectly

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command has a function for that purpose called distinct_count (usually, the dc abbreviation is used).

For example:

index=foo Computer=* | timechart span=1mon dc(Computer)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...