Distinct count by hour by type

plucas_splunk · ‎04-05-2017

I currently have a search:

... | eval hour=strftime(_time,"%H") |
streamstats time_window=1h dc(vehicle_id) AS dc_vid |
timechart max(dc_vid) by hour fixedrange=false

This correctly produces the number of distinct vehicles on a particular route by hour.

But now assume that there are two different vehicle types: bus and streetcar. So I want to modify the chart to show the same thing, but each bar should be a stacked bar composed of the number of distinct vehicles by vehicle_type by hour.

I've tried all manner of fiddling with the search and I can't seem to get it.

BTW: the existing search shows each hour as a different colored bar. I don't actually care about that. For the new chart, two colors would be fine (one for each vehicle type in the stacked bar).

woodcock · ‎04-05-2017

Like this:

... | eval vehicle_type=case(PUT YOUR STUFF HERE)
| timechart span=1h dc(vehicle_id) AS dc_vid BY vehicle_type

plucas_splunk · ‎04-05-2017

This pretty much works. 🙂

woodcock · ‎04-05-2017

There is value in simplicity, even if it is not a perfect fit.

somesoni2 · ‎04-05-2017

How about this?

... | eval hour=strftime(_time,"%H") |
 streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type|
 timechart max(dc_vid) by vehicle_type fixedrange=false

OR

... | eval hour=vehicle_type.":".strftime(_time,"%H") |
 streamstats time_window=1h dc(vehicle_id) AS dc_vid by vehicle_type|
 timechart max(dc_vid) by hour fixedrange=false

plucas_splunk · ‎04-05-2017

Neither of those works.

Distinct count by hour by type

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases