Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use timechart with Where condition and stats?

Alanmas
Explorer
‎06-06-2023 05:02 PM

Hello!

I am trying to figure out how to convert an table query into a histogram using timechart(), but I am having issues as no data is flowing (I read that is because when you use stats the value of _time disappear or something).

Here is my old query:

 

 

 

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by source
| where value_1 > 0 AND value_2 > 0
| table source

 

 

 


And this is what I have so far:

 

 

 

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

 

 

 


But not data is flowing, I already tried other ways and I am sure should be something easy that I am not able to figure out 😞

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-06-2023 05:09 PM

Hi @Alanmas 

That is correct, the stats command summarised/transforms the data stream, so if you want to use a field in subsequent commands then you must ensure the field is based by either grouping (BY clause) or using a function.

In this case, you look to be summarising results on a daily bases so something like this might meet your needs  

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

Hope that helps

View solution in original post

Reply
Solved! Jump to solution

Alanmas
Explorer
‎06-07-2023 02:01 PM

@yeahnah and just out of curiosity, is it possible to create a Multi-Series Line Chart using 2 different queries that works by themselves?

For example:
1 line:

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

2nd line chart:

index="something" source="*-value*" ("random value 1" OR "*random value 3*" OR "*random value 4*" OR "*random value 5*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 3"))) as value_3,
       count(eval(match(_raw, "random value 4"))) as value_4,
       count(eval(match(_raw, "random value 5"))) as value_5,
       by _time source
| where value_1 > 0 AND (value_3 > 0 OR value_4 OR value_5)
| timechart span=1d dc(source) as unique_sources

 

It looks like it is easier just to split into to 2 billboards, but might be be better to have them in the same one (in case it is possible)

0 Karma
Reply
Solved! Jump to solution

Alanmas
Explorer
‎06-07-2023 02:27 PM

Just to answer my own question, yes it is possible just adding union between them 🙂

Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-06-2023 05:09 PM

Hi @Alanmas 

That is correct, the stats command summarised/transforms the data stream, so if you want to use a field in subsequent commands then you must ensure the field is based by either grouping (BY clause) or using a function.

In this case, you look to be summarising results on a daily bases so something like this might meet your needs  

index="something" source="*-value*" ("random value 1" OR "*random value 2*")
| bin span=1d _time
| stats count(eval(match(_raw, "random value 1"))) as value_1,
       count(eval(match(_raw, "random value 2"))) as value_2
       by _time source
| where value_1 > 0 AND value_2 > 0
| timechart span=1d dc(source) as unique_sources

Hope that helps

Reply
Solved! Jump to solution

Alanmas
Explorer
‎06-06-2023 07:45 PM

@yeahnah THANK YOU!!!

I did not know the usage of bin + by _time

This is exactly what I was looking for!! YOU ARE AWESOME 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...