Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I create a histogram to show distribution?

earriaga
Explorer
‎02-07-2019 11:31 AM

I have a search like this:

My Search|chart count(data.url) as SongsPlayed  over userEmail

It gives me a list of users and the number of songs they listen to for a time.

I would like a chart that breaks down the users in groups, like those who listen between 0-10, the up to 20, 30 etc.

How do I do that in Splunk?

Eva

Reply

earriaga
Explorer
‎02-14-2019 07:33 AM

It is sorting the buckets as text, all the 10, 100 etc first. Is there a way to order the buckets as number? Or I am asking too much?
:)

0 Karma
Reply

woodcock
Esteemed Legend
‎02-11-2019 03:23 PM

Like this:

My Search
| stats count(data.url) AS songsPlayed BY userEmail
| bin songsPlayed span=10
| stats dc(userEmail) AS users BY songsPlayed
Reply

earriaga
Explorer
‎02-12-2019 12:49 PM

Hi, thank you, it is getting closer but it is still not working.

When I enter this:
index="mobile_app_tracking" event=song
|stats count(data.url) as SongsPlayed BY userEmail
| bin SongsPlayed span=10

I see results, emails with the bucket where they belong

alt text

But, when I put the whole thing as you suggested,

I get nothing, no results!

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

earriaga
Explorer
‎02-14-2019 07:27 AM

Yay, thank you very much!!!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-14-2019 01:00 PM

Be sure to spread around the UpVotes and click Accept on the best answer to close the question.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 05:55 PM

You typed it in wrong (my answer has it right). You typed SongPlayed as the last word and it should be SongsPlayed. Missed it by >that< much!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-07-2019 12:54 PM

Like this:

My Search | bin _time span=10s | stats count(data.url) AS SongsPlayed BY userEmail _time
Reply

earriaga
Explorer
‎02-11-2019 10:28 AM

Thank you that works, but it is giving me users per 10 seconds, I think?

I want to count number of users, and the number of songs they play.

My basic query gives me the user email and the number of songs they listen to.

What I want is to group those users in buckets, of those who listen between 0 and 10, those who listen to etc.
So for example, it would be a bar graph for each bucket of songs.
10 users play 0-10 songs
34 users play 11-20 songs
etc

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...