Splunk Search

How edit my search to get a chart of bin counts over time?

viraptor
New Member

I'd like to create a chart of bin counts over time (with a span defined). Right now, I can get the result over the whole time period using:

... | stats count by clientip | bin count as bins | stats count by bins

How can I change this to get a chart of bin counts over time?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is this what you're looking for?

... | timechart distinctcount(bin)

Or

... | timechart count(bin)

Maybe

... | streamstats count(bin) as bincount by clientip _time | timechart bincount by clientip

Or

... | timechart span=1w count by clientip

0 Karma

niketn
Legend

@viraptor... You would need to retain the _time field after your first stats command runs. So you can use min(_time) or max(_time) function to retain the same and pass that on to timechart to plot count of bins over _time.

| stats count min(_time) as _time by clientip 
| bin count as bins 
| timechart count by bins
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

viraptor
New Member

That's not really what I'm after. This will give me the time of the first request for a given clientip. It may approximate what I'm after, but the difference matters in my case. I want the results analysed for each (for example) 15 min span separately.

0 Karma

niketn
Legend

Are you looking for somthing like the following?

 | stats count min(_time) as _time max(_time) as MaxTime by clientip 
 | eval duration=MaxTime-_time 
 | bin count as bins 
 | table _time bins duration

You might need to post-process and show duration via Timeline visualization and count via simple timechart.

Anyways. Let me also convert my Answer to comment so that others can pitch in with their answers/opinions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...