Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I create a histogram to show distribution?

earriaga
Path Finder
‎02-07-2019 11:31 AM

I have a search like this:

My Search|chart count(data.url) as SongsPlayed  over userEmail

It gives me a list of users and the number of songs they listen to for a time.

I would like a chart that breaks down the users in groups, like those who listen between 0-10, the up to 20, 30 etc.

How do I do that in Splunk?

Eva

Reply

earriaga
Path Finder
‎02-14-2019 07:33 AM

It is sorting the buckets as text, all the 10, 100 etc first. Is there a way to order the buckets as number? Or I am asking too much?
:)

0 Karma
Reply

woodcock
Esteemed Legend
‎02-11-2019 03:23 PM

Like this:

My Search
| stats count(data.url) AS songsPlayed BY userEmail
| bin songsPlayed span=10
| stats dc(userEmail) AS users BY songsPlayed
Reply

earriaga
Path Finder
‎02-12-2019 12:49 PM

Hi, thank you, it is getting closer but it is still not working.

When I enter this:
index="mobile_app_tracking" event=song
|stats count(data.url) as SongsPlayed BY userEmail
| bin SongsPlayed span=10

I see results, emails with the bucket where they belong

alt text

But, when I put the whole thing as you suggested,

I get nothing, no results!

alt text

Preview file
45 KB
Preview file
33 KB
0 Karma
Reply

earriaga
Path Finder
‎02-14-2019 07:27 AM

Yay, thank you very much!!!

Reply

woodcock
Esteemed Legend
‎02-14-2019 01:00 PM

Be sure to spread around the UpVotes and click Accept on the best answer to close the question.

Reply

woodcock
Esteemed Legend
‎02-12-2019 05:55 PM

You typed it in wrong (my answer has it right). You typed SongPlayed as the last word and it should be SongsPlayed. Missed it by >that< much!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-07-2019 12:54 PM

Like this:

My Search | bin _time span=10s | stats count(data.url) AS SongsPlayed BY userEmail _time
Reply

earriaga
Path Finder
‎02-11-2019 10:28 AM

Thank you that works, but it is giving me users per 10 seconds, I think?

I want to count number of users, and the number of songs they play.

My basic query gives me the user email and the number of songs they listen to.

What I want is to group those users in buckets, of those who listen between 0 and 10, those who listen to etc.
So for example, it would be a bar graph for each bucket of songs.
10 users play 0-10 songs
34 users play 11-20 songs
etc

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...