Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I chart count of field values over time?

a212830
Champion
‎10-23-2014 08:57 AM

Hi,

I have a very ugly data feed, and the customer thinks that they are getting duplicate events, because the event count goes up every so often. I think the issue is that the feed is different every so often, and I want to prove it by charting a specific fields value and count over time (with a 5 minute time span). I have this:

index=euc_vcdata sourcetype=VCSZoneInfo | table _time, SubzoneName which gives me time and the field, but now I want a count of the number of events to go with it.

Is there a way to do this?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎10-23-2014 11:41 AM

Try this ( useful when no of distinct values for field SubzoneName is not high (1-50)

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count by SubzoneName

This should give a table with span=5m and count for each value of SubzoneName for those buckets.

0 Karma
Reply

jeremiahc4
Builder
‎10-23-2014 11:16 AM

What @ppablo_splunk stated would plot the count of SubZoneName over 5 minute increments regardless of the value of SubZoneName. I think @a212830 is looking for duplicates of the values in SubZoneName during a 5 minute window. Perhaps a transaction command coupled with linecount>1 search would work.

 index=euc_vcdata sourcetype=VCSZoneInfo | transaction maxspan=5m SubZoneName | search linecount>1
0 Karma
Reply

ppablo
Retired
‎10-23-2014 10:57 AM

Hi @a212830

Are you looking for something like this?

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count(SubzoneName)
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top