- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would I chart count of field values over time?
Hi,
I have a very ugly data feed, and the customer thinks that they are getting duplicate events, because the event count goes up every so often. I think the issue is that the feed is different every so often, and I want to prove it by charting a specific fields value and count over time (with a 5 minute time span). I have this:
index=euc_vcdata sourcetype=VCSZoneInfo | table _time, SubzoneName which gives me time and the field, but now I want a count of the number of events to go with it.
Is there a way to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this ( useful when no of distinct values for field SubzoneName is not high (1-50)
index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count by SubzoneName
This should give a table with span=5m and count for each value of SubzoneName for those buckets.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What @ppablo_splunk stated would plot the count of SubZoneName over 5 minute increments regardless of the value of SubZoneName. I think @a212830 is looking for duplicates of the values in SubZoneName during a 5 minute window. Perhaps a transaction command coupled with linecount>1 search would work.
index=euc_vcdata sourcetype=VCSZoneInfo | transaction maxspan=5m SubZoneName | search linecount>1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @a212830
Are you looking for something like this?
index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count(SubzoneName)
