Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I create a histogram to show distribution?

earriaga
Explorer
‎02-07-2019 11:31 AM

I have a search like this:

My Search|chart count(data.url) as SongsPlayed  over userEmail

It gives me a list of users and the number of songs they listen to for a time.

I would like a chart that breaks down the users in groups, like those who listen between 0-10, the up to 20, 30 etc.

How do I do that in Splunk?

Eva

Reply

earriaga
Explorer
‎02-14-2019 07:33 AM

It is sorting the buckets as text, all the 10, 100 etc first. Is there a way to order the buckets as number? Or I am asking too much?
:)

0 Karma
Reply

woodcock
Esteemed Legend
‎02-11-2019 03:23 PM

Like this:

My Search
| stats count(data.url) AS songsPlayed BY userEmail
| bin songsPlayed span=10
| stats dc(userEmail) AS users BY songsPlayed
Reply

earriaga
Explorer
‎02-12-2019 12:49 PM

Hi, thank you, it is getting closer but it is still not working.

When I enter this:
index="mobile_app_tracking" event=song
|stats count(data.url) as SongsPlayed BY userEmail
| bin SongsPlayed span=10

I see results, emails with the bucket where they belong

alt text

But, when I put the whole thing as you suggested,

I get nothing, no results!

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

earriaga
Explorer
‎02-14-2019 07:27 AM

Yay, thank you very much!!!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-14-2019 01:00 PM

Be sure to spread around the UpVotes and click Accept on the best answer to close the question.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 05:55 PM

You typed it in wrong (my answer has it right). You typed SongPlayed as the last word and it should be SongsPlayed. Missed it by >that< much!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-07-2019 12:54 PM

Like this:

My Search | bin _time span=10s | stats count(data.url) AS SongsPlayed BY userEmail _time
Reply

earriaga
Explorer
‎02-11-2019 10:28 AM

Thank you that works, but it is giving me users per 10 seconds, I think?

I want to count number of users, and the number of songs they play.

My basic query gives me the user email and the number of songs they listen to.

What I want is to group those users in buckets, of those who listen between 0 and 10, those who listen to etc.
So for example, it would be a bar graph for each bucket of songs.
10 users play 0-10 songs
34 users play 11-20 songs
etc

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...