I am trying to display the value of "002:emailsqu=33" over the last 24 hours and then graph it. The log comes in to the system every 180seconds
Date=Wednesday, September 9, 2015 3:10:37 PM
Many Thanks 🙂
If emailsqu is already extracted as a field:
earliest=-24h sourcetype=foo emailsqu=* | table emailsqu _time
earliest=-24h sourcetype=foo emailsqu=* | timechart span=2m max(emailsqu) as emailsqu
or you could use a different span and use
avg instead of max for example.
If emailsqu is not extracted as a field:
earliest=-24h sourcetype=foo | rex "emailsqu=(?<emailsqu>.*) | table emailsqu _time
earliest=-24h sourcetype=foo | rex "emailsqu=(?<emailsqu>.*) | timechart span=2m max(emailsqu) as emailsqu
Thanks for the reply 🙂 see the attached screen shot i seem to be getting the data into the fields but i cant graph it for my dashboard
any ideas ?
Many thanks as always
I'm a tech writer here at Splunk and I'd like to help. If I'm understanding your question, it sounds like you might want to run a query using a command like "timechart" to aggregate on the "002:emailsqu=33" field in your data , with the time picker set to "Last 24 hours". You can then set up a visualization, such as a line graph, to visualize the results.
Here are some resources that might help:
I hope this helps! If not, let me know and we can keep discussing.
All the best,