Splunk Search

Help with timechart display

ChhayaV
Communicator

hi,

this is my search

index=tm_idx host="server" | rex field=msg "(?i)TM1\sserver\sload\stime\s(secs)\s=\s(?P\w+)" |where timetakentostart!="" |sort _time | stats list(timetakentostart) by date_month

which is giving me following output

date_month list(timetakentostart)

april 23 23 15 15 73 73 25 25

february 24 13

january 9 12 12

july 34 52353 24

june 23

march 18 10 13

may 25 15 16 16 74

september 21 17

But i want is as
date_month list(timetakentostart)

april 23:1 23:2 15:1 15:2 73:1 73:2 25:1 25:2

february 24:1 13:1

january 9:1 12:1 12:2

How can i do it?
any suggestion will a great help

Thanks

0 Karma
1 Solution

emiller42
Motivator

So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.

index=tm_idx host="server" 
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!="" 
| bucket _time span=1m 
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time

That will get you the kind of listing you want.

Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.

View solution in original post

0 Karma

emiller42
Motivator

So, I'm not sure if what you're trying to do is actually a good idea. But here's an idea of how to accomplish it.

index=tm_idx host="server" 
| rex field=msg "(?i)TM1sserversloadstimes(secs)s=s(?P<timetakentostart>w+)" |where timetakentostart!="" 
| bucket _time span=1m 
| streamstats count by timetakentostart _time
| eval newfield=timetakentostart + ":" + count
| stats list(newfield) by _time

That will get you the kind of listing you want.

Now, I think the real question is: What is the purpose of this data? What is the question it intends to answer? Because what you're trying to build seems extremely convoluted, and it's not apparent why it needs to be.

0 Karma

ChhayaV
Communicator

thanks for your help 🙂

0 Karma

emiller42
Motivator

Ahh, totally get that. Glad I could help and good luck!

0 Karma

ChhayaV
Communicator

this is one business requirement

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Sounds like you need ... | stats count by date_month,timetakentostart

Though in general it a terrible practice to use date_month. Better to use timechart span=1mon count by timetakentostart

0 Karma

ChhayaV
Communicator

hi thanks for the reply
actually i want to label entries like for first occurence 16:1 for second occurence in the same month as 16:2 so that i can show them as different stack in a stacked chart..otherwise splunk group same values

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...