Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sum Field value with no duplicates and how to timechart it.

Rakesh915473
Explorer
‎07-08-2021 04:59 AM

Hello Team,

I have just started learning Splunk 🙂

Example: I have done basic search index="xyz" |

I have got some logs like below

Event1 : Field                Value              

                username     Rakesh 

                timestamp    10AM

Event 2: Field                Value

                username     Anitha

                timestamp    11AM

Event 3: Field                Value

                username     Rakesh

                timestamp    12PM

Event 4: Field                Value

                username     Harika

                timestamp    1PM

So, I want a total username count 3 (ignoring duplicate Field Rakesh) and I want to display timechart x-axis: timestamp and y-axis: username total count.

Labels (7)
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-08-2021 07:52 AM

@Rakesh915473 

You can get distinct username by dc() function like 

index="xyz" | timechart dc(username) as count

 

But timechart using _time for plotting time spans. To use timestamp under x axis, it should be date or date time.  So can you please share sample data for timestamp ?

 

KV

 

0 Karma
Reply

Rakesh915473
Explorer
‎07-08-2021 10:44 AM

Hello @kamlesh_vaghela 

Thanks for replied,

I can see how many times username is triggered count in time chart, But I want to see field username total count 3(Rakesh, Anitha, Harika) to be plotted in Y-axis, date time is fine on x-axis.

Rakesh915473_0-1625766149445.png

Here username is updated from log all the time, I want to see this total count 11(real time) to be plotted in time chart Y-axis and date time on x-axis.

Thanks in advance for your help.

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-08-2021 10:04 PM

@Rakesh915473 

The count in Selected Fields for username is distinct username appeared between selected time range. So when you Weill execute time chart search, will show you all 11 username trends.

Can you please try this?

index="xyz" username=* | timechart useother=f usenull=f count by username

 

KV

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-08-2021 05:06 AM

Hi @Rakesh915473 

Can you. try this?

<your_search_goes_here>
| timechart count by username

---

An upvote would be appreciated and Accept solution if this reply helps!

Tags (1)
0 Karma
Reply

Rakesh915473
Explorer
‎07-08-2021 10:47 AM

Hi @venkatasri 

I want to print field value to be plotted(real time) in chart Ex: username: 11

Rakesh915473_0-1625766414350.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...