Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart count of -30d rolling window
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hoiby
Explorer
04-21-2014
04:53 PM
I'm looking to create a timechart of counts for a field where there is one bucket per day, and each bucket spans back 30 days. So the search would return a count for -30d to now, and -31d to -1d, and -32d to -2d, and so on, ideally back to the oldest index entry. I intend to display the counts directly on a line chart and also do some basic evals on the counts (like percentages). The idea is to get a historical snapshot of data from the perspective of each day. I've read some other posts that point to summary indexing as an answer, and that seems like it would solve the problem for future data, but I also have a need to look at historical data right now rather than wait for the summary index to be built to be able to see a trend.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sc0tt
Builder
04-22-2014
06:00 AM
I believe creating a summary index is the best solution for this scenario. You can backfill the index so that you can use historical data. Somebody may be able to provide a better solution, but this is the method that I've used for similar types of reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sc0tt
Builder
04-22-2014
06:00 AM
I believe creating a summary index is the best solution for this scenario. You can backfill the index so that you can use historical data. Somebody may be able to provide a better solution, but this is the method that I've used for similar types of reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hoiby
Explorer
04-22-2014
12:01 PM
Thanks for the quick responses. I was able to get the appropriate results using streamstats as you suggested, but without building a summary index. In this scenario, would the purpose of the index be just for performance reasons? Does the data in the summary index persist for a longer time than our (90 day) normal index so we could search the summary of todays data in say, 1 year?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-22-2014
06:47 AM
Agree with sc0tt, it seems you want to show timechart for all data in your index which should be expensive. Have a summary index configured to save data on daily basis (for historical data as well) and then use streamstats to get the rolling count, something like below-
your base search | timechart span=1d count(yourfield) as yourfield | streamstats sum(yourfield) as Count window=30
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
