Splunk Search

Timechart , how to display value of the field

jshanaiah
Explorer

using tmechart command , I want to display values of 7 filds.. i don't want to use avg, sum functions.. just i want to dispaly the values of the field...

I used "values" function , it didn't work..

Tags (1)
0 Karma
1 Solution

jshanaiah
Explorer

Thanks , that helped

View solution in original post

jshanaiah
Explorer

Thanks , that helped

goodjon
New Member

So where is the solution? I only see 'thanks that helped'.  

0 Karma

Ayn
Legend

If you only want to get the values of the fields for each time the event occurs you could do this:

<yourbasesearch> | table _time,field1,field2,field3,(and so on)

and create a report of it. This seems to be what you're after.

If for some reason you want to take the timechart route anyway, you need to understand that the thing with timechart is that as it always operates on intervals (timespans) that it uses to divide events, it needs to know how to handle the situation where multiple events are found in an interval. This is where the statistical functions come to use. Let's say you define the timespan for timechart to be 1 minute, and that somewhere in the log you have 3 of these events occurring within 1 minute. Splunk then needs to know how to give you ONE value for your fields, even though there are 3 values of each. You can tell Splunk to just give you an average from the 3 events using the stats function avg. Or, if you only want the values from the first of the events within the time period, use first. Want the median? Use median. And so on.

More information on statistical functions is available here: http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>