Splunk Search

Timechart Function

New Member

I am new to Splunk, so this question might be straight forward! I am looking to create a stacked chart by day.

This is the search that worked for 1 column, I am looking to add many more columns in addition to Mobile, i.e. 720P, 1080P. So the strings are OutputProfile-720P, OutputProfile-1080P. What is the best way to create Time chart with 3 columns and then create a stacked bar chart.

"OutputProfile-Mobile" NOT "Failed" | timechart count(host) as "Mobile"

Thanks very much for your help!
Chintu

Tags (1)
0 Karma

New Member

Thanks very much, this was very helpful!

I had just a couple more questions -

  1. For the time range - what is the best way to show the data by month, and the current month's data will update maybe end of every day?
  2. In the above situation - will it run the search every time the dashboard is loaded? or will it store the data for historical data and just load the current data.

Thanks again!

0 Karma

New Member
  1. Convert the current search to summary index search, schedule the search to run every day 1 am or 2 am to get yesterday's data and store it in summary index.

  2. Create another search to get data from the summary index, and in your dashboard do the search with time chart span=1m for year. the search will be faster.

or
Create a Advanced dashboard with time component so that with custom time you can make your search to run.

0 Karma

New Member

Try this,

search "OutputProfile-720P" OR "OutputProfile-1080P" NOT "Failed" | rex "OutputProfile-(?\d+\w{1})"| timechart count by MOBILE_TYPE

0 Karma

New Member

Yes its case sensitive, I dont know some how its not showing my backslash and uppercase were gone i dont know, hopefully this comment displays my search properly...:)

search "OutputProfile-720P" OR "OutputProfile-1080P" NOT "Failed" | rex "OutputProfile-(?\d+\w{1})"| timechart count by mobile_type

0 Karma

Legend

MOBILE_TYPE at the end has to be lower-case, as field names are case-sensitive. You could make that search even more generic with

"OutputProfile-720P" OR "OutputProfile-1080P" OR "OutputProfile-Mobile" NOT "Failed" | rex "OutputProfile-(?\S+)"| timechart count by profile_type

0 Karma

Legend

It's not quite as straight forward as you might think. The timechart command can only accept one 'split by" series, kind of like this

timechart count by field

So you need to create a single field that reflects the type of data. There are lots of ways to do this, but I suggest this as a starting point:

  • Create an eventtype for each profile. For example, run the following search and then save it as an eventtype named "Mobile" ("Create Eventtype" in 4.3)

    "OutputProfile-Mobile" NOT "Failed"

  • After you have created the eventtypes, run the following search

    eventtype=Mobile OR eventtype=P720 OR eventtype=P1080 | timechart count(host) by eventtype

BTW, count(host) actually means "count the number of events that have a value for the host field", and not "count the number of unique hosts." I mention this because it is often a point of confusion.