Splunk Search
Highlighted

Timechart , how to display value of the field

Explorer

using tmechart command , I want to display values of 7 filds.. i don't want to use avg, sum functions.. just i want to dispaly the values of the field...

I used "values" function , it didn't work..

Tags (1)
0 Karma
Highlighted

Re: Timechart , how to display value of the field

Legend

If you only want to get the values of the fields for each time the event occurs you could do this:

<yourbasesearch> | table _time,field1,field2,field3,(and so on)

and create a report of it. This seems to be what you're after.

If for some reason you want to take the timechart route anyway, you need to understand that the thing with timechart is that as it always operates on intervals (timespans) that it uses to divide events, it needs to know how to handle the situation where multiple events are found in an interval. This is where the statistical functions come to use. Let's say you define the timespan for timechart to be 1 minute, and that somewhere in the log you have 3 of these events occurring within 1 minute. Splunk then needs to know how to give you ONE value for your fields, even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg. Or, if you only want the values from the first of the events within the time period, use first. Want the median? Use median. And so on.

More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

Highlighted

Re: Timechart , how to display value of the field

Explorer

Thanks , that helped

View solution in original post