- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with timechart display
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
this is my search
index=tm_idx host="server" | rex field=msg "(?i)TM1\sserver\sload\stime\s(secs)\s=\s(?P
which is giving me following output
date_month list(timetakentostart)
april 23 23 15 15 73 73 25 25
february 24 13
january 9 12 12
july 34 52353 24
june 23
march 18 10 13
may 25 15 16 16 74
september 21 17
But i want is as
date_month list(timetakentostart)
april 23:1 23:2 15:1 15:2 73:1 73:2 25:1 25:2
february 24:1 13:1
january 9:1 12:1 12:2
How can i do it?
any suggestion will a great help
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.
index=tm_idx host="server"
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!=""
| bucket _time span=1m
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time
That will get you the kind of listing you want.
Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.
index=tm_idx host="server"
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!=""
| bucket _time span=1m
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time
That will get you the kind of listing you want.
Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh, totally get that. Glad I could help and good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is one business requirement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you need ... | stats count by date_month,timetakentostart
Though in general it a terrible practice to use date_month. Better to use timechart span=1mon count by timetakentostart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi thanks for the reply
actually i want to label entries like for first occurence 16:1 for second occurence in the same month as 16:2 so that i can show them as different stack in a stacked chart..otherwise splunk group same values
Customer Experience | Splunk 2024: New Onboarding Resources
Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...
How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...
