Splunk Search

Help with timechart display

ChhayaV
Communicator

hi,

this is my search

index=tm_idx host="server" | rex field=msg "(?i)TM1\sserver\sload\stime\s(secs)\s=\s(?P\w+)" |where timetakentostart!="" |sort _time | stats list(timetakentostart) by date_month

which is giving me following output

date_month list(timetakentostart)

april 23 23 15 15 73 73 25 25

february 24 13

january 9 12 12

july 34 52353 24

june 23

march 18 10 13

may 25 15 16 16 74

september 21 17

But i want is as
date_month list(timetakentostart)

april 23:1 23:2 15:1 15:2 73:1 73:2 25:1 25:2

february 24:1 13:1

january 9:1 12:1 12:2

How can i do it?
any suggestion will a great help

Thanks

0 Karma
1 Solution

emiller42
Motivator

So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.

index=tm_idx host="server" 
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!="" 
| bucket _time span=1m 
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time

That will get you the kind of listing you want.

Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.

View solution in original post

0 Karma

emiller42
Motivator

So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.

index=tm_idx host="server" 
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!="" 
| bucket _time span=1m 
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time

That will get you the kind of listing you want.

Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.

0 Karma

ChhayaV
Communicator

thanks for your help 🙂

0 Karma

emiller42
Motivator

Ahh, totally get that. Glad I could help and good luck!

0 Karma

ChhayaV
Communicator

this is one business requirement

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Sounds like you need ... | stats count by date_month,timetakentostart

Though in general it a terrible practice to use date_month. Better to use timechart span=1mon count by timetakentostart

0 Karma

ChhayaV
Communicator

hi thanks for the reply
actually i want to label entries like for first occurence 16:1 for second occurence in the same month as 16:2 so that i can show them as different stack in a stacked chart..otherwise splunk group same values

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...