Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a linechart showing the previous 6 m...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
##
How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

Im trying to show a trend using a linechart. It should show the previous 6 months and have a data point once for each month. The data point should be sum of events for the previous 6 months, and the labels across the x-axis should just be the month name. For example if today is Dec 15, the x-axis would have the labels July, Aug, Sept, Oct, Nov, Dec. The July data point would be the sum of the value of field1 for all events that occurred in Feb-July. The Dec data point would be the sum of the value of field1 for July - the current date in Dec. Finally, if for some reason there are no events in that time period the line should not go to 0, but the last two data points should connect. How would I create a search like this?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

glenngermiathen

Path Finder

12-08-2017
08:30 PM

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

martin_mueller

SplunkTrust

12-09-2017
03:07 PM

This should be what you're looking for, run over `@mon-10mon to now`

:

```
index=foo sourcetype=bar etc... | timechart span=1mon sum(field1) as monthly_sum
| streamstats window=6 sum(monthly_sum) as sixmonthly_sum | fields - monthly_sum
| where _time >= relative_time(now(), "@mon-5mon")
| eval sixmonthly_sum = case(sixmonthly_sum>0, sixmonthly_sum)
```

- search for your data, compute monthly sums
- compute running six-month-sums, drop monthly sums
- drop first five months
- remove zeroes, make sure the line chart is set to connect on missing values

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

glenngermiathen

Path Finder

12-10-2017
01:44 PM

Host "Event Count" _time

HostA 500 time

HostA 450 time

HostB 1000 time...

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

martin_mueller

SplunkTrust

12-10-2017
01:59 PM

To get the latest value per host per month, use this beginning:

```
index=foo sourcetype=bar etc... | bin span=1mon _time as month | dedup host month | timechart ...
```

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

glenngermiathen

Path Finder

12-10-2017
02:54 PM

| bin span=6mon that it would group distinct periods ie Jan-Jun July-Dec, rather than Jun-Nov July-Dec?

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

martin_mueller

SplunkTrust

12-10-2017
02:59 PM

`field1`

over a six-month period but rather use the field value from the latest event? I'm confused.

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

Sorry I didn't explain very clearly. field1is the "Event Count", and every host has an event count associated with it. A host can be listed many times in the 6 month periods, so I want to count each host once in that period using the most recent occurrence of that host. Then with the list of unique hosts sum the "event count" field for that 6 month period. For example lets say hostA shows up 2 times each month. For the July-Dec bucket only the most recent event count for hostA would be summed up with the event counts for the most recent occurrences of the other hosts. Then For the June-Nov bucket it would be the most recent occurrence in Nov that was used the in summation. Hope this is clearer.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

glenngermiathen

Path Finder

12-10-2017
08:38 PM

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

martin_mueller

SplunkTrust

12-11-2017
02:55 AM

My confusion isn't decreasing 😄 let's whip up an example for just one host:

```
June 1st: 1
June 15th: 2
July 1st: 4
July 15th: 8
July 31st: 16
August 1st: 32
August 15th: 64
August 31st: 128
September 1st: 256
October 1st: 512
October 15th: 1024
November 1st: 2048
December 1st: 4096
```

What should the value be for November? What value for December?

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

glenngermiathen

Path Finder

12-14-2017
05:13 AM

Sorry for the late reply, the value for Nov should be 2048 and Dec 4096

Highlighted
##
Re: How to create a linechart showing the previous 6 months with each point being the sum of the previous 6 months?

So... there should be no summing up of previous months, just the latest value over that six-month window?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

martin_mueller

SplunkTrust

12-14-2017
03:06 PM