Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum of new events over time

liorfink
Engager
‎08-23-2015 02:06 AM

Hi all!
I'm new to Splunk and I'm having trouble making my search correct.
I've tried searching but found no case exactly like mine.

the problem:
I have a log with many 'Events', each event has a status: New/Old.
Old means it has been dealt with.
I would like to make a line-chart that will show the total number of new events over time.
My chart:
alt text

The way the chart should look:
alt text

This is what I've tried so far:
host="MyHost" Status="New" | timechart count(Status)
... | timechart sum(Status)
... | timechart sum(count(Status))

Any help will be appreciated!
Thanks!

Tags (2)
Preview file
5 KB
Preview file
7 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-23-2015 07:07 AM

This should do what you need:

host="MyHost" Status="New" | timechart count | accum count

That will turn the count per timeslot into a running total.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-23-2015 07:07 AM

This should do what you need:

host="MyHost" Status="New" | timechart count | accum count

That will turn the count per timeslot into a running total.

Reply
Solved! Jump to solution

liorfink
Engager
‎08-23-2015 11:28 PM

Thank you!
That worked!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...