Splunk Search

Display a time chart for the distinct count of values in a field

veerappan
New Member

I am beginner to Splunk and could you help me with the following scenario.

Lets take I have a table with the field name "Computer".

The field Name "Computer" when searched for different time period gives me different values.

When I search for April the result is : a,b,c,d,c
When I search for May the result is : a,b,c,d,e,f,a,b

So the distinct count for April is 4 and for May is 6.

I would like to create a chart which shows the following.

April - 4
May - 6

What search query could I use to display such a chart which shows me the distinct count of field "Computer" on a monthly basis.

Thanks in advance.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The timechart command has a function for that purpose called distinct_count (usually, the dc abbreviation is used).

For example:

index=foo Computer=* | timechart span=1mon dc(Computer)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

veerappan
New Member

Thanks @richgalloway for the answer.

Probably can you help me with one more question ?

If I have two different search criteria like the following
index=foo host = abc Computer=* | timechart span=1mon dc(Computer)
index= foo host = xyz Computer=* | timechart span=1mon dc(Computer)

Can I integrate both of these into a same chart ?
I would like display the results of different criteria as different columns in the same chart. Is that possible with the above query ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

index=foo (host=abc OR host=xyz) Computer=* | timechart span=1mon dc(Computer) by host
---
If this reply helps you, Karma would be appreciated.
0 Karma

veerappan
New Member

Thanks it works perfectly

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command has a function for that purpose called distinct_count (usually, the dc abbreviation is used).

For example:

index=foo Computer=* | timechart span=1mon dc(Computer)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

How I instrumented a Rust application without knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...