Splunk Search

How would I chart count of field values over time?

a212830
Champion

Hi,

I have a very ugly data feed, and the customer thinks that they are getting duplicate events, because the event count goes up every so often. I think the issue is that the feed is different every so often, and I want to prove it by charting a specific fields value and count over time (with a 5 minute time span). I have this:

index=euc_vcdata sourcetype=VCSZoneInfo | table _time, SubzoneName which gives me time and the field, but now I want a count of the number of events to go with it.

Is there a way to do this?

Tags (3)
0 Karma

somesoni2
Revered Legend

Try this ( useful when no of distinct values for field SubzoneName is not high (1-50)

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count by SubzoneName

This should give a table with span=5m and count for each value of SubzoneName for those buckets.

0 Karma

jeremiahc4
Builder

What @ppablo_splunk stated would plot the count of SubZoneName over 5 minute increments regardless of the value of SubZoneName. I think @a212830 is looking for duplicates of the values in SubZoneName during a 5 minute window. Perhaps a transaction command coupled with linecount>1 search would work.

 index=euc_vcdata sourcetype=VCSZoneInfo | transaction maxspan=5m SubZoneName | search linecount>1
0 Karma

ppablo
Retired

Hi @a212830

Are you looking for something like this?

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count(SubzoneName) 
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...