Splunk Search
Highlighted

How to create a time chart with values from eventstats?

Builder

Hi all.

I have a search like this:

index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d count by AREA limit=100  | addtotals

Now, I must replicate with a search like this:

index=log sourcetype=data TYPE="PLATFORM"   | eventstats sum(QP) AS QTOTAL by AREA | timechart  span=1d count(QP) by AREA limit=100  | addtotals

but this has been unsuccessful. QP is a number field. I need to show day by day the total by AREA.

Suggestions?

Thanks!

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Champion

Please clarify which total value you need to show per day in the second query. Do you need the daily total of QTOTAL per day? Sharing some of the actual data may help.

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Builder

Hi, thanks. Yes, i need the daily total of QTOTAL.

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Champion

OK, I am still a little confused. Do you need both the QTOTAL per day by AREA and the count of QP events per day by AREA, or just the former?

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Builder

Hi. I need only QTOTAL per day.

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Champion

Then you want the comment below from @ktugwell

Highlighted

Re: How to create a time chart with values from eventstats?

Builder

Let me check...

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Super Champion
index=log sourcetype=data TYPE="PLATFORM" |bucket _time span=1d  | chart sum(QP) AS QTOTAL by _time AREA  | addtotals

does this get you what you need?

0 Karma
Highlighted

Re: How to create a time chart with values from eventstats?

Splunk Employee
Splunk Employee

Have you just tried:

 index=log sourcetype=data TYPE="PLATFORM"  | timechart  span=1d sum(QP) AS QTOTAL by AREA limit=100  | addtotals

?

View solution in original post

Highlighted

Re: How to create a time chart with values from eventstats?

Builder

Works perfect! Thanks! Do you can answer the question with your comment?

Thanks!

0 Karma