Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not able to create a 24hour chart with the table.

theouhuios
Motivator
‎10-19-2012 10:43 AM

Hello

I am trying to do a 24hr and 31 days chart for the threshold value which will be as a output of this table. Now the below code gives me threshold value for each workgroup. I now need to create a timechart which mentions about the number of times the threshold for a particular workgroup(A) is exceeded.

index=xxxx search_name="xxxx" | rename record_assignmentGroup as A | eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6) | stats count as I by A, mybucket,date_mday,date_month,date_year  | delta I as D  | eval D = abs(D) | eventstats avg(I) as xbar, avg(D) as mbar by A | eval threshold = xbar + (2.66*mbar) | eval threshold=coalesce(threshold,0) | dedup A | fields A threshold | table A threshold

I made use of macro and now the search is 

index=xxxx search_name="xxxx"  |  `bucket_incident` | `threshold_incident`|

It's just a shorter version of the first one.

Output:

A threshold

Regards

theou

Tags (2)
0 Karma
Reply

bmacias84
Champion
‎10-22-2012 09:45 AM

@theouhuios, Could you explain what your trying to accomplish with your case statment?



eval mybucket=case(date_hour<4,1,date_hour<8,2,date_hour<12,3,date_hour<16,4,date_hour<20,5,date_hour>0,6)

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-20-2012 10:17 AM

if your grouping is per time bucket (mybucket), then keep it at every steps of your commands : stats, fields, etc...
and at the end your probably want |table A mybucket threshold

0 Karma
Reply

theouhuios
Motivator
‎10-19-2012 01:48 PM

@bmacias84 I updated it now. Any idea on how to solve this.

0 Karma
Reply

theouhuios
Motivator
‎10-19-2012 01:42 PM

I should have been a bit more clear. Will update the part now.

0 Karma
Reply

bmacias84
Champion
‎10-19-2012 01:37 PM

I am not sure what you trying to do exactly, but you need to perserve _time to use timechart or to use chart use (chart count over time by x) in your stats command and eventstats.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...