Splunk Search

How to create a time chart with values from eventstats?

changux
Builder

Hi all.

I have a search like this:

index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d count by AREA limit=100  | addtotals

Now, I must replicate with a search like this:

index=log sourcetype=data TYPE="PLATFORM"   | eventstats sum(QP) AS QTOTAL by AREA | timechart  span=1d count(QP) by AREA limit=100  | addtotals

but this has been unsuccessful. QP is a number field. I need to show day by day the total by AREA.

Suggestions?

Thanks!

0 Karma
1 Solution

ktugwell_splunk
Splunk Employee
Splunk Employee

Have you just tried:

 index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d sum(QP) AS QTOTAL by AREA limit=100  | addtotals

?

View solution in original post

snoobzilla
Builder

Would this work?

index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count(QP) sum(QP) AS Total by AREA limit=100

0 Karma

ktugwell_splunk
Splunk Employee
Splunk Employee

Have you just tried:

 index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d sum(QP) AS QTOTAL by AREA limit=100  | addtotals

?

changux
Builder

Works perfect! Thanks! Do you can answer the question with your comment?

Thanks!

0 Karma

cmerriman
Super Champion
index=log sourcetype=data TYPE="PLATFORM" |bucket _time span=1d  | chart sum(QP) AS QTOTAL by _time AREA  | addtotals

does this get you what you need?

0 Karma

rjthibod
Champion

Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.

0 Karma

changux
Builder

Hi, thanks. Yes, i need the daily total of QTOTAL.

0 Karma

rjthibod
Champion

OK, I am still a little confused. Do you need both the QTOTAL per day by AREA and the count of QP events per day by AREA, or just the former?

0 Karma

changux
Builder

Hi. I need only QTOTAL per day.

0 Karma

rjthibod
Champion

Then you want the comment below from @ktugwell

changux
Builder

Let me check...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...