Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sum Field value with no duplicates and how to timechart it.

Rakesh915473
Explorer
‎07-08-2021 04:59 AM

Hello Team,

I have just started learning Splunk 🙂

Example: I have done basic search index="xyz" |

I have got some logs like below

Event1 : Field                Value              

                username     Rakesh 

                timestamp    10AM

Event 2: Field                Value

                username     Anitha

                timestamp    11AM

Event 3: Field                Value

                username     Rakesh

                timestamp    12PM

Event 4: Field                Value

                username     Harika

                timestamp    1PM

So, I want a total username count 3 (ignoring duplicate Field Rakesh) and I want to display timechart x-axis: timestamp and y-axis: username total count.

Labels (7)
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-08-2021 07:52 AM

@Rakesh915473 

You can get distinct username by dc() function like 

index="xyz" | timechart dc(username) as count

 

But timechart using _time for plotting time spans. To use timestamp under x axis, it should be date or date time.  So can you please share sample data for timestamp ?

 

KV

 

0 Karma
Reply

Rakesh915473
Explorer
‎07-08-2021 10:44 AM

Hello @kamlesh_vaghela 

Thanks for replied,

I can see how many times username is triggered count in time chart, But I want to see field username total count 3(Rakesh, Anitha, Harika) to be plotted in Y-axis, date time is fine on x-axis.

Rakesh915473_0-1625766149445.png

Here username is updated from log all the time, I want to see this total count 11(real time) to be plotted in time chart Y-axis and date time on x-axis.

Thanks in advance for your help.

 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-08-2021 10:04 PM

@Rakesh915473 

The count in Selected Fields for username is distinct username appeared between selected time range. So when you Weill execute time chart search, will show you all 11 username trends.

Can you please try this?

index="xyz" username=* | timechart useother=f usenull=f count by username

 

KV

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-08-2021 05:06 AM

Hi @Rakesh915473 

Can you. try this?

<your_search_goes_here>
| timechart count by username

---

An upvote would be appreciated and Accept solution if this reply helps!

Tags (1)
0 Karma
Reply

Rakesh915473
Explorer
‎07-08-2021 10:47 AM

Hi @venkatasri 

I want to print field value to be plotted(real time) in chart Ex: username: 11

Rakesh915473_0-1625766414350.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...