Splunk Search
Highlighted

Display a time chart for the distinct count of values in a field

New Member

I am beginner to Splunk and could you help me with the following scenario.

Lets take I have a table with the field name "Computer".

The field Name "Computer" when searched for different time period gives me different values.

When I search for April the result is : a,b,c,d,c
When I search for May the result is : a,b,c,d,e,f,a,b

So the distinct count for April is 4 and for May is 6.

I would like to create a chart which shows the following.

April - 4
May - 6

What search query could I use to display such a chart which shows me the distinct count of field "Computer" on a monthly basis.

Thanks in advance.

0 Karma
Highlighted

Re: Display a time chart for the distinct count of values in a field

SplunkTrust
SplunkTrust

The timechart command has a function for that purpose called distinct_count (usually, the dc abbreviation is used).

For example:

index=foo Computer=* | timechart span=1mon dc(Computer)
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma
Highlighted

Re: Display a time chart for the distinct count of values in a field

New Member

Thanks @richgalloway for the answer.

Probably can you help me with one more question ?

If I have two different search criteria like the following
index=foo host = abc Computer=* | timechart span=1mon dc(Computer)
index= foo host = xyz Computer=* | timechart span=1mon dc(Computer)

Can I integrate both of these into a same chart ?
I would like display the results of different criteria as different columns in the same chart. Is that possible with the above query ?

0 Karma
Highlighted

Re: Display a time chart for the distinct count of values in a field

SplunkTrust
SplunkTrust

Try this:

index=foo (host=abc OR host=xyz) Computer=* | timechart span=1mon dc(Computer) by host
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Display a time chart for the distinct count of values in a field

New Member

Thanks it works perfectly

0 Karma