Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display values over the last 24 hours?

loggeruk
Explorer
‎09-09-2015 08:47 AM

Greetings,

I am trying to display the value of "002:emailsqu=33" over the last 24 hours and then graph it. The log comes in to the system every 180seconds

Date=Wednesday, September 9, 2015 3:10:37 PM
Location=ImageNowProduction
001:sizebundle=21
002:emailsqu=33
003:createdocumentqu=44

Many Thanks 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

loggeruk
Explorer
‎09-25-2015 03:12 PM

I used the Pivot function with the MEDIAN option in the end, seems to be working well. Thanks for all the replies 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

loggeruk
Explorer
‎09-25-2015 03:12 PM

I used the Pivot function with the MEDIAN option in the end, seems to be working well. Thanks for all the replies 🙂

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎09-09-2015 09:28 AM

If emailsqu is already extracted as a field:

earliest=-24h sourcetype=foo emailsqu=* | table emailsqu _time

or

earliest=-24h sourcetype=foo  emailsqu=* | timechart span=2m max(emailsqu) as emailsqu

or you could use a different span and use avg instead of max for example.

If emailsqu is not extracted as a field:

   earliest=-24h sourcetype=foo | rex "emailsqu=(?<emailsqu>.*) | table emailsqu _time

or

   earliest=-24h sourcetype=foo | rex "emailsqu=(?<emailsqu>.*) | timechart span=2m max(emailsqu) as emailsqu
Reply
Solved! Jump to solution

loggeruk
Explorer
‎09-21-2015 04:24 PM

Thanks for the reply 🙂 see the attached screen shot i seem to be getting the data into the fields but i cant graph it for my dashboard

any ideas ?

Many thanks as always

alt text

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-21-2015 04:38 PM

try timechart instead of table

 .... | timechart values(textbehindocrdcg2) AS textbehindocrdcg2

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

frobinson_splun
Splunk Employee
Splunk Employee
‎09-09-2015 09:23 AM

Hi @loggeruk,
I'm a tech writer here at Splunk and I'd like to help. If I'm understanding your question, it sounds like you might want to run a query using a command like "timechart" to aggregate on the "002:emailsqu=33" field in your data , with the time picker set to "Last 24 hours". You can then set up a visualization, such as a line graph, to visualize the results.

Here are some resources that might help:
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Timechart
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchTutorial/Aboutthetimerangepicker
http://docs.splunk.com/Documentation/Splunk/6.2.5/Viz/ChartConfigurationReference#Area.2C_Bubble.2C_...

I hope this helps! If not, let me know and we can keep discussing.

All the best,
@frobinson_splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...