Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distinct count by hour by type

plucas_splunk
Splunk Employee
Splunk Employee
‎04-05-2017 03:25 PM

I currently have a search:

... | eval hour=strftime(_time,"%H") |
streamstats time_window=1h dc(vehicle_id) AS dc_vid |
timechart max(dc_vid) by hour fixedrange=false

This correctly produces the number of distinct vehicles on a particular route by hour.

But now assume that there are two different vehicle types: bus and streetcar. So I want to modify the chart to show the same thing, but each bar should be a stacked bar composed of the number of distinct vehicles by vehicle_type by hour.

I've tried all manner of fiddling with the search and I can't seem to get it.

BTW: the existing search shows each hour as a different colored bar. I don't actually care about that. For the new chart, two colors would be fine (one for each vehicle type in the stacked bar).

0 Karma
Reply

woodcock
Esteemed Legend
‎04-05-2017 07:23 PM

Like this:

... | eval vehicle_type=case(PUT YOUR STUFF HERE)
| timechart span=1h dc(vehicle_id) AS dc_vid BY vehicle_type
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎04-05-2017 07:46 PM

This pretty much works. 🙂

0 Karma
Reply

woodcock
Esteemed Legend
‎04-05-2017 08:09 PM

There is value in simplicity, even if it is not a perfect fit.

0 Karma
Reply

somesoni2
Revered Legend
‎04-05-2017 06:13 PM

How about this?

... | eval hour=strftime(_time,"%H") |
 streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type|
 timechart max(dc_vid) by vehicle_type fixedrange=false

OR

... | eval hour=vehicle_type.":".strftime(_time,"%H") |
 streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type|
 timechart max(dc_vid) by hour fixedrange=false
0 Karma
Reply

plucas_splunk
Splunk Employee
Splunk Employee
‎04-05-2017 07:42 PM

Neither of those works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...