Splunk Search

How to create a time chart with values from eventstats?

Builder

Hi all.

I have a search like this:

index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d count by AREA limit=100  | addtotals

Now, I must replicate with a search like this:

index=log sourcetype=data TYPE="PLATFORM"   | eventstats sum(QP) AS QTOTAL by AREA | timechart  span=1d count(QP) by AREA limit=100  | addtotals

but this has been unsuccessful. QP is a number field. I need to show day by day the total by AREA.

Suggestions?

Thanks!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Have you just tried:

 index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d sum(QP) AS QTOTAL by AREA limit=100  | addtotals

?

View solution in original post

Builder

Would this work?

index=log sourcetype=data TYPE="PLATFORM" | timechart span=1d count(QP) sum(QP) AS Total by AREA limit=100

0 Karma

Splunk Employee
Splunk Employee

Have you just tried:

 index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d sum(QP) AS QTOTAL by AREA limit=100  | addtotals

?

View solution in original post

Builder

Works perfect! Thanks! Do you can answer the question with your comment?

Thanks!

0 Karma

Super Champion
index=log sourcetype=data TYPE="PLATFORM" |bucket _time span=1d  | chart sum(QP) AS QTOTAL by _time AREA  | addtotals

does this get you what you need?

0 Karma

Champion

Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.

0 Karma

Builder

Hi, thanks. Yes, i need the daily total of QTOTAL.

0 Karma

Champion

OK, I am still a little confused. Do you need both the QTOTAL per day by AREA and the count of QP events per day by AREA, or just the former?

0 Karma

Builder

Hi. I need only QTOTAL per day.

0 Karma

Champion

Then you want the comment below from @ktugwell

Builder

Let me check...

0 Karma