Solved: How to use the timechart command to get a certain ...

brdr · ‎05-10-2018

I have a lookup table with 3 fields: host, user, p_time

The events in the lookup table will contain 12 months of data. I have converted p_time to epoch format.

Simply, what I'm trying to accomplish is to use timechart command with a span of 1 month using p_time - to view the total number of events each month. As a side note, I would also like to include total number of events over 12 month period.

Any help would be appreciated.

woodcock · ‎05-10-2018

Just add this to the bottom of your existing search:

| eval _time = p_time
| timechart span=1mon count

View solution in original post

woodcock · ‎05-10-2018

Just add this to the bottom of your existing search:

| eval _time = p_time
| timechart span=1mon count

somesoni2 · ‎05-10-2018

And add following after the timechart command to get total events for whole 12 month period

| eventstats sum(count) as TotalEvents

brdr · ‎05-10-2018

Awesome. thank you both (as always) for responding 🙂

woodcock · ‎05-10-2018

Nice tag-team, @somsoni2. So now you and @daljeanis are both stalking me and fixing my silly oversights and mistakes. Thanks for picking up my slack.

macadminrohit · ‎05-10-2018

Is there another slack than the splunk user group slack ?

xpac · ‎05-10-2018

Yeah, the idiom "Pick up someones slack" 😉

How to use the timechart command to get a certain amount of time span in custom field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation