Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do i do a timechart -like resulting, but want ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I for example want to track a ratio like UsersWithTag1/AllUsers
wher the users with the specified tag are growing over time and of course also all users.
When i use timechart i can eg. calculate the ratio with span=1d for every day extra and follow how this changes.
This would look like
| _time | AllUsers | UsersWithTag1 | UsersWithTag1/AllUsers |
| 01.09.2012 | 50 | 39 | 0,78 |
| 02.09.2012 | 60 | 46 | 0,77 |
| 03.09.2012 | 62 | 40 | 0,65 |
| 04.09.2012 | 52 | 36 | 0,69 |
| 05.09.2012 | 34 | 28 | 0,82 |
| 06.09.2012 | 44 | 36 | 0,82 |
| 07.09.2012 | 92 | 55 | 0,60 |
But what i want is smth where i get daily results for the ratio since the beginning and how this moves. For above example this is
| _time | AllUsers | UsersWithTag1 | UsersWithTag1/AllUsers |
| 01.09.2012 | 50 | 39 | 0,78 |
| 02.09.2012 | 110 | 85 | 0,77 |
| 03.09.2012 | 172 | 125 | 0,73 |
| 04.09.2012 | 224 | 161 | 0,72 |
| 05.09.2012 | 258 | 189 | 0,73 |
| 06.09.2012 | 302 | 225 | 0,75 |
| 07.09.2012 | 394 | 280 | 0,71 |
And does splunk have any possiblity to show an trend resp. indicator arrow in the next right column of UsersWithTag1/AllUsers with green for up und red for down or smth like this?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.
index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage
_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@p_splunk, I think I see what your are trying to do and it can be accomplished by using accum search command. Here a simplifed version which should get you started.
index=_internal | stats count(method) as method, count(message) as message by _time | accum method as accmethod| accum message as accmessage
_time method message accmessage accmethod
1 9/28/12 8:49:01.389 AM 0 2 2 0
2 9/28/12 8:49:04.290 AM 0 0 2 0
3 9/28/12 8:49:04.291 AM 2 0 2 2
4 9/28/12 8:49:04.447 AM 1 0 2 3
5 9/28/12 8:49:04.728 AM 0 1 3 3
6 9/28/12 8:49:04.962 AM 1 0 3 4
7 9/28/12 8:49:04.977 AM 1 0 3 5
8 9/28/12 8:49:04.993 AM 3 0 3 8
9 9/28/12 8:49:05.009 AM 1 0 3 9
10 9/28/12 8:49:05.024 AM 3 0 3 12
11 9/28/12 8:49:05.040 AM 1 0 3 13
12 9/28/12 8:49:05.055 AM 1 0 3 14
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, dunno why i didnt think back to accum function. maybe lost in typing weird requests.
thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
