Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Help with time chart search that accumulates total count over 6 months

mayank101
New Member
‎07-22-2019 10:04 AM

I have a search that accumulates the total count for host over a 6 period of months.
Now when I am trying to draw a time chart for it, I am unable to do so.
It shows the result incorrectly- if it is showing one.
Could anyone help in correcting it?

|savedsearch "r1"
| bin _time span=6mon
|top 10 host by event,_time     | sort-count  | eventstats sum(count) as TotalNumber| eval PercentOfTotal = round(100 * count / TotalNumber,2). "%"
| stats  list(entity) as "Entity" list(count) as "Count", sum(count) as "Total"  by host ,_time
| sort-Total  
| addinfo 
| eval rank=1 | accum rank   | sort +num(rank)  | head (rank <=10)   | fields rank, host,Count,Total | eval Entity=mvindex(Entity,0,9) 
| eval Count=mvindex(Count,0,9) | eval Percent=mvindex(Percent,0,9)  | timechart span=1d useother=f count by host
0 Karma
Reply