Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to set a standard set for span values

psmp
Explorer
‎12-02-2021 02:15 PM

I have a dhasboard which should show buckets with number of machines by span of time. 

Machine A to F is used for 2 mins

Machines D-T was used for 2hrs

Machine s-Z was used for more than 4hrs

So my graph should show the buckets with time range as a standard set. 

XAxis

<5 mins,

5-30mins

30min - 2hrs

2-4hrs

 > 4hrs

YAxis 

No of machines logged on for <2mins

No of machines logged on for 5-30mins 

and so on.

Logon TimeLogoff TimeMachineNameSessionTimeinMins
12/1/2021 19:3312/1/2021 19:36A3
12/1/2021 16:4612/1/2021 17:04B18
12/1/2021 15:3512/1/2021 15:38C3
12/1/2021 11:3512/1/2021 11:38D120
12/1/2021 16:3512/1/2021 21:35E300

 

Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan

But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket. 

 

Thanks

 

 

Labels (3)
Labels
0 Karma
Reply

psmp
Explorer
‎12-02-2021 03:37 PM

Thank you @ITWhisperer 

How can I match the events that fall under this buckets?  

like Machine A-X will fall under 5-30min as they all have session times in that timerange. 

Thanks for your time and help.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:43 PM

Do you mean something like this?

| stats values(MachineName) as MachineName by sessionSpan
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:01 PM 
| eval sessionSpan=case(SessionTimeInMins<5,"5 mins",SessionTimeInMins<30,"5-30mins",SessionTimeInMins<120,"30min - 2hrs",SessionTimeInMins<240,"2-4hrs",1==1,"> 4hrs")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...