Hi,
is it possible to write a search, that shows the total count of events by indextime (span=1m)?
Best
Heinz
Try this: UPDATED with a search that works.
index=main | eval indexed_time=strftime(_indextime, "%+") | timechart span="1m" count(indexed_time)
Cool, so you're all set then?
hey,
renaming _time works. just try out a very simple search:
your search | eval _time=now() | timechart count
I don't think calling _indextime _time is going to change the time used by timechart.
I think what you want to do is extract the minute from the _indextime field, and then count by that minute.
Hi,
but this search is using _time and not the indextime, right? And _time is using a timestamp of the event.
So for my purposes the timechart should use the indextime.
Could this be a correct approach?
index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time
I get results, but have to option to check them back
Thanks, learn something new every day. Also, learned that this search I posted give the wrong results... Updating it now.
FYI, _indextime=*
is unnecessary as all events have the _indextime
field
The sort
and the table
commands are likewise unneeded, as stats
already does these functions.
Otherwise, this is fine.
I downvoted this post because the link no longer works.
@ahjmcaleer, down voting a over three years old post is pretty harsh .... but I'm also here to help, so find the most recent link here http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Eventstats
I'm looking forward for your upvote 😉
Hey MuS,
thanks for the new input. This search works fine and gives the same results as the search I tried out earlier:
index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time
Hi Heinz, now that I'm able to test things I would suggest that you use something like this:
index=* | bucket span=1m _indextime | eval myTime=strftime(_indextime, "%+") | chart count by myTime
timechart uses _time underneeth and with chart you can define 'over' and 'by' clauses.
Maybe something like
YourSearch | bucket _indextime span=1m | stats count by _indextime
Hi,
I already had a look at this, but don't know how to achieve me goal with it