Solved: How to use append on stats table to show count pas...

brianMiller94 · ‎07-05-2018

Hello,

I am trying to show the last 5 minute count with a larger time period spark chart.

index="iis"
|stats sparkline count by host
|append [search index="iis" earliest=-5m latest=now 
|stats count by host as "last_5"]
|rename host as "Web Server"
|rename sparkline as "Count Over Time"
|rename "last_5" as "Count Last 5 Minutes"
|table "Web Server", "Count Over Time", "Count Last 5 Minutes"

The last column is blank but the subsearch returns the expected data.

somesoni2 · ‎07-05-2018

Give this a try

index="iis"
| eval last5m=if(_time>=relative_time(now(),"-5m"),1,0)
 |stats sparkline as  "Count Over Time" sum(last5m) as "Count Last 5 Minutes" by host
 |rename host as "Web Server"
 |table "Web Server", "Count Over Time", "Count Last 5 Minutes"

View solution in original post

somesoni2 · ‎07-05-2018

Give this a try

index="iis"
| eval last5m=if(_time>=relative_time(now(),"-5m"),1,0)
 |stats sparkline as  "Count Over Time" sum(last5m) as "Count Last 5 Minutes" by host
 |rename host as "Web Server"
 |table "Web Server", "Count Over Time", "Count Last 5 Minutes"

brianMiller94 · ‎07-05-2018

Worked great, thank you!

How to use append on stats table to show count past 5 minutes?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to use append on stats table to show count past 5 minutes?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!