Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I create a histogram to show distribution?

earriaga
Path Finder
‎02-07-2019 11:31 AM

I have a search like this:

My Search|chart count(data.url) as SongsPlayed  over userEmail

It gives me a list of users and the number of songs they listen to for a time.

I would like a chart that breaks down the users in groups, like those who listen between 0-10, the up to 20, 30 etc.

How do I do that in Splunk?

Eva

Reply

earriaga
Path Finder
‎02-14-2019 07:33 AM

It is sorting the buckets as text, all the 10, 100 etc first. Is there a way to order the buckets as number? Or I am asking too much?
:)

0 Karma
Reply

woodcock
Esteemed Legend
‎02-11-2019 03:23 PM

Like this:

My Search
| stats count(data.url) AS songsPlayed BY userEmail
| bin songsPlayed span=10
| stats dc(userEmail) AS users BY songsPlayed
Reply

earriaga
Path Finder
‎02-12-2019 12:49 PM

Hi, thank you, it is getting closer but it is still not working.

When I enter this:
index="mobile_app_tracking" event=song
|stats count(data.url) as SongsPlayed BY userEmail
| bin SongsPlayed span=10

I see results, emails with the bucket where they belong

alt text

But, when I put the whole thing as you suggested,

I get nothing, no results!

alt text

almost.jpg
Preview file
45 KB
no-results.jpg
Preview file
33 KB
0 Karma
Reply

earriaga
Path Finder
‎02-14-2019 07:27 AM

Yay, thank you very much!!!

Reply

woodcock
Esteemed Legend
‎02-14-2019 01:00 PM

Be sure to spread around the UpVotes and click Accept on the best answer to close the question.

Reply

woodcock
Esteemed Legend
‎02-12-2019 05:55 PM

You typed it in wrong (my answer has it right). You typed SongPlayed as the last word and it should be SongsPlayed. Missed it by >that< much!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-07-2019 12:54 PM

Like this:

My Search | bin _time span=10s | stats count(data.url) AS SongsPlayed BY userEmail _time
Reply

earriaga
Path Finder
‎02-11-2019 10:28 AM

Thank you that works, but it is giving me users per 10 seconds, I think?

I want to count number of users, and the number of songs they play.

My basic query gives me the user email and the number of songs they listen to.

What I want is to group those users in buckets, of those who listen between 0 and 10, those who listen to etc.
So for example, it would be a bar graph for each bucket of songs.
10 users play 0-10 songs
34 users play 11-20 songs
etc

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top