Splunk Search

How would I chart count of field values over time?

a212830
Champion

Hi,

I have a very ugly data feed, and the customer thinks that they are getting duplicate events, because the event count goes up every so often. I think the issue is that the feed is different every so often, and I want to prove it by charting a specific fields value and count over time (with a 5 minute time span). I have this:

index=euc_vcdata sourcetype=VCSZoneInfo | table _time, SubzoneName which gives me time and the field, but now I want a count of the number of events to go with it.

Is there a way to do this?

Tags (3)
0 Karma

somesoni2
Revered Legend

Try this ( useful when no of distinct values for field SubzoneName is not high (1-50)

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count by SubzoneName

This should give a table with span=5m and count for each value of SubzoneName for those buckets.

0 Karma

jeremiahc4
Builder

What @ppablo_splunk stated would plot the count of SubZoneName over 5 minute increments regardless of the value of SubZoneName. I think @a212830 is looking for duplicates of the values in SubZoneName during a 5 minute window. Perhaps a transaction command coupled with linecount>1 search would work.

 index=euc_vcdata sourcetype=VCSZoneInfo | transaction maxspan=5m SubZoneName | search linecount>1
0 Karma

ppablo
Retired

Hi @a212830

Are you looking for something like this?

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count(SubzoneName) 
0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...