Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do a timechart from a single panel result?

jip31
Motivator
‎04-27-2022 03:41 AM

Hi

I need to do a timechart from a single panel result

In this single panel, I stats events like this

 

| stats count as PbPerf by s 
| search PbPerf>10
| stats dc(s)

 

The results of this search is 14 events

Now I need to timechart these 14 events

So I am doing this

 

| bin _time span=1d 
| stats count as PbPerf by s _time 
| search PbPerf>10
| timechart count span=1h

 

 The first problem I have is that I want to retrieve the 14 events before doing the timechart is that I have to use a span=1d

But of course all the 14 events are grouped with the same _time even if I use a span=1h in the timechart

So how to display a timechart that display a _time value for my 14 events?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 07:03 AM

Hi @jip31,

as I said, if using the BY clause probably you should better analyze your data to understand if the results you're waiting are correct.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 03:49 AM

Hi @jip31,

at first, why don't you directly use timechart in you search?

| timechart span=1d count as PbPerf by s
| where PbPerf>10

but anyway, you cannot use before span=1d and then span=1h, because you have the same hour in each date for each day.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 04:04 AM

Hi

Your idea is not bad but :

1) the where condition works only if I delete "by s"

2) if I timechart by s, I have only ten results for s

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 04:07 AM

Hi @jip31,

this isn't a problem od the search but of your data, maybe you should use a different threshold.

When you say 14 results are you speking of two weeks or what else?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-27-2022 06:27 AM

it's 14 events

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 07:03 AM

Hi @jip31,

as I said, if using the BY clause probably you should better analyze your data to understand if the results you're waiting are correct.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 07:44 AM

Hi @jip31,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...