Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart distribution of stats count result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgcsco
Path Finder
08-19-2015
09:01 PM
I am trying to do the following search:
Log file looks like
2012-12-01 11:00:00 id=B starttime=2012-12-02T08:00:00 length=100
2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:00 length=150
2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:01 length=100
2012-12-01 11:00:00 id=D starttime=2012-12-02T08:00:00 length=110
2012-12-01 11:00:00 id=C starttime=2012-12-02T08:00:20 length=100
2012-12-01 11:00:00 id=A starttime=2012-12-02T08:00:00 length=200
....
First, I need to find out how many unique values of "id + starttime + length"
mysearch| eval output = (id + ";" + starttime + ";" + length) | stats count AS key by output
Then I would like to find out on an hourly basis, the distribution of the key, e.g. how many keys occurred once, twice, 10, 20, etc.. hourly?
I have been struggling with it. Any suggestions?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-20-2015
10:59 AM
Try something like this
Yoursearch | bucket _time span=1h | eval output= (id + ";" + starttime + ";" + length) | stats count as KeyCount by _time output | eventstats dc(output) as UniqueKeys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-20-2015
10:59 AM
Try something like this
Yoursearch | bucket _time span=1h | eval output= (id + ";" + starttime + ";" + length) | stats count as KeyCount by _time output | eventstats dc(output) as UniqueKeys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgcsco
Path Finder
08-20-2015
11:04 AM
thanks, will give it a try!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jensonthottian
Contributor
08-19-2015
10:01 PM
Use this -
mysearch | bucket _time span=1h | eval output = (id + ";" + starttime + ";" + length) |stats count by _time,output.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
