Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats into timechart

wormfishin
Engager
‎03-20-2014 07:26 AM

I'm running a query for a 1 hour window. I need to group events by a unique ID and categorize them based on another field. I can do this with the transaction and timechart command although its very slow.
transaction keepevicted=true UniqueID | timechart span="5m" limit=10 avg(duration) by myTypes

I'm trying to reproduce this output using stats but I need the data broken down into 5 minute intervals for each type of transactions. Here is what I have now that contains the final data I need. stats range(_time) as UniqueID_Durations first(_time) by myTypes UniqueID

I want to split this into a timechart using the first(_time) and have the time chart caclulate the average UniqueID_Duration for each myTypes.

I feel like it should be this, but it does not work.

stats range(_time) as UniqueID_Duration first(_time) by myTypes UniqueID | timechart span=5m avg(UniqueID_Duration) by myTypes.

Any suggestions?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-20-2014 07:31 AM

Hi wormfishin,

the timechart command uses _time of your event which is not available anymore after your stats. You could try something like this :

stats range(_time) as UniqueID_Duration first(_time) as myTime by myTypes UniqueID | chart span=5m avg(UniqueID_Duration) over myTime by myTypes

this is un-tested, but should work....

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-20-2014 07:31 AM

Hi wormfishin,

the timechart command uses _time of your event which is not available anymore after your stats. You could try something like this :

stats range(_time) as UniqueID_Duration first(_time) as myTime by myTypes UniqueID | chart span=5m avg(UniqueID_Duration) over myTime by myTypes

this is un-tested, but should work....

cheers, MuS

Reply
Solved! Jump to solution

wormfishin
Engager
‎03-20-2014 08:08 AM

eventstats actually worked better as it displayed the time in string format instead of epoch. Thanks, that was exactly what I needed.

Reply
Solved! Jump to solution

gordo32
Communicator
‎08-01-2017 11:01 AM

agreed. I had a similar issue also resolved by eventstats

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎03-20-2014 07:36 AM

or simply use eventstats instead of stats and _time will stay in your results 😉

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...