Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I use results of a stats table to output to another pipe or timechart?

spark2310
Explorer
‎12-08-2017 12:13 PM

index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10

I am using this query. output basically will return error codes sorted with high percentage difference (errors are increasing). I am using fields command to only output top 10 errors in table

since this query will show as stats table, how can I use this output to further pipe or do a timechart?

0 Karma
Reply

somesoni2
Revered Legend
‎12-08-2017 02:10 PM

If your timechart query's timerange is different from last 2 hr, then try like this

index=source [search index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10] 
| timechart count by code
Reply

spark2310
Explorer
‎12-08-2017 02:36 PM

It did not work, returns 0 results

0 Karma
Reply

somesoni2
Revered Legend
‎12-08-2017 02:47 PM

How about this

index=source sourcetype=e  [search index=source earliest=-2h sourcetype=e | bucket _time span=1h |stats count by code _time| delta count as difference | eval percdif=round(abs(difference/count)*100,0)|table code, count, difference, percdif|sort -percdif -count|where count>1100|fields code|head 10] 
 | timechart count by code
Reply

spark2310
Explorer
‎12-08-2017 03:16 PM

does this work if I pass more than one field (code and percdif) to timechart as well?

0 Karma
Reply

somesoni2
Revered Legend
‎12-08-2017 04:20 PM

It'll. As long as that field is present in main search.

0 Karma
Reply

spark2310
Explorer
‎12-08-2017 03:00 PM

Thanks working now

0 Karma
Reply

somesoni2
Revered Legend
‎12-08-2017 01:32 PM

What's your final expected output (that you want to generate for these top 10 error codes)?

0 Karma
Reply

spark2310
Explorer
‎12-08-2017 02:02 PM

Final output should be a timechart of the top 10 error codes (of query I posted above)

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top