Problem in Search Command

sbnoobbb · ‎07-17-2013

Hi,

Please take a look at my table below which i came up with using this search command

sourcetype="json_onemap" | stats max(cases) as NoOfCases by description location _time | sort -_time

I manage to come up with this search command to see an overview of the data i want to retrieve but I just could not derive the logic. I need to sum up the no. of cases in each description with the same location in the given day.

Please help me!

I want to achieve something like this:

Thank you and have a nice day ahead !

clymbouris · ‎07-20-2013

Hi,

I wouldn't use the _time field in this case. If you want a time trend a sparkline can give you a good indication of when cases happened throughout the day. How about you summarize using something like

search.. | stats sparkline sum(cases) as NoOfCases by location

sbnoobbb · ‎07-19-2013

What I want to achieve is to add up all the cases in the same location, but I have lots of duplicate event inside splunk. The data came out incorrect when i use sum.Is okay, I have solved the problem.
Thanks anyway (:

asimagu · ‎07-18-2013

do you want to achieve that at the same time that you get that table?? coz otherwise you can always omit "description" in your search, sorry not sure if I understood what you are after

Problem in Search Command

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update