Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Display data in timechart

kirrusk
Communicator
‎03-19-2020 01:04 AM

I'm using summary index to get data and display in timechart. but not able to create a time chart with the data.

index = summary_dm search_name = Instance_count | table total_Instancecount _time

(total_Instancecount, _time) these are the two fields

summary in is created by using
index = application cf_org = cf_space = cf_app = instance_index = |bucket _time span=1min| dedup cf_org cf_space cf_app instance_index | timechart span=1min count(instance_index) by cf_app| addtotals fieldname = Total_instances | fields _time Total_instances

report is scheduled using above query

summary index is populated with _time total_Instancecount.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-19-2020 09:28 AM

Try this:

 index = summary_dm search_name = Instance_count
 | timechart sum(Total_instances) AS Total_instances
Reply

niketn
Legend
‎03-19-2020 01:45 AM

@kirrusk what is the frequency of your summary indexing? Also how is summary index being created? For plotting timechart what is the span you are looking for

index = summary_dm search_name = Instance_count
| timechart sum(total_Instancecount) as total_Instancecount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

kirrusk
Communicator
‎03-19-2020 03:20 AM

summary in is created by using
index = application cf_org = * cf_space = * cf_app = * instance_index = * |bucket _time span=1min| dedup cf_org cf_space cf_app instance_index | timechart span=1min count(instance_index) by cf_app| addtotals fieldname = Total_instances | fields _time Total_instances

report is scheduled using above query

summary index is populated with _time Total_instances.

0 Karma
Reply

niketn
Legend
‎03-19-2020 09:30 AM

@kirrusk did you try the above query? Does it work for you?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...