- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use timechart with counters?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use timechart with counters?
HI everyone
I have two queries that returns an total accumulated of transactions.
host="konecta-marketing" "request.input.text"="*" | stats count
and
host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count
I´ve tried make an time chart with this but unsucessfully:
host="konecta-marketing" | timechart count(request.context.conversation_id) as Conversaciones count(request.input.text) as Peticiones | search Conversaciones > 1
When i use this query the result in the graph is not the same that when i use the first query (host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count)
Any idea ?
Only i need compare into graph two accumulers of previous queries.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
are you trying to get a distinct count of how many request.context.conversation_id there are (when there are more than one of each)? in your second query, you're doing a stats count by request.context.conversation_id and then counting those results, which is only counting the number of results - basically counting how many request.context.conversation_ids you have. i just want to make sure that's what you're trying to do, and not wanting to sum up the values of count
in your query that doesn't quite work, you're basically counting every single instance of request.context.conversation_id, which is similar to if you were to sum it at the end in the original syntax (without the filter of count>1), but since you aren't counting by that field, when you are searching Conversaciones>1, you are basically eliminating any timespan (which is automatically set depending on your time range since you don't have it specified in timechart) that doesn't have a count>1. So the queries themselves are not the same at all.
What you might want to do is do an |evenstats count as Conversaciones by request.context.conversation_id|search Conversaciones>1 OR request.input.text=*|timechart sum(Conversaciones) as Conversaciones count(request.input.text) as Peticiones or something similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply
Yes i wan to do it so .....but in this case is strange because my query (host="konecta-marketing"| stats count by request.context.conversation_id | search count>1 | stats count) returns 5500 events and the new query like you said returns 9000 events ..both must be same.
In this query i count all events and then count if are 2 or more times for me is an conversation and works in a graph of type counter but i need to compare it vs request (host="konecta-marketing" "request.input.text"="*" | stats count) in a timechart graph or similar
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try using count instead of sum in the timechart command i mention above.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
