Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart limit order

asetyyli
Explorer
‎06-27-2014 05:54 AM

My goal is to create a stacked area timechart that has the number of unique "users" on y-axis split by "user age", where "user age" is bucketed into 1 day spans and the first 5 buckets from 0 upward are included in the plot (with rest of the buckets in OTHER). The search

timechart dc(user) span=1d by limit=5 user_age span=1d

does almost what I want, except it includs the 5 largest buckets, not first 5 consecutive buckets as I would want. Top N values based on the sum of each series is the default documented behavior of , but is there a way to specify first five (in order) instead?

Thanks,

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-27-2014 07:51 AM

Give this workaround a try

Your base search with fields user, _time, user_age | bucket span=1d _time | stats dc(user) as UserCount by _time user_age | sort user_age | streamstats count as sno by user_age | eval sno=if(sno>1,0,sno) | accum sno | eval user_age=if(sno>5,"OTHER",user_age) | timechart span=1d sum(UserCount) by user_age
0 Karma
Reply

somesoni2
Revered Legend
‎07-11-2014 07:59 AM

Its tough to say without looking at the logs. Would you mind providing some and also sample output based on that data?

0 Karma
Reply

asetyyli
Explorer
‎07-11-2014 02:43 AM

Thanks for the revised answer. It seems I need to bucket the user_age at the beginning to make your method work (bucket span=1d user_age). The resulting counts are inflated slightly compared with a search without splitting by user_age, though. When we are doing "stats dc(user) as UserCount by _time user_age" users that have a transition in user_age within a _time bucket are counted twice, right?

Some background: user_age is a field containing the time in seconds elapsed after the creation of a specific user at the time of the recorded event. Basically user_age = (_time - user_created_ts).

0 Karma
Reply

somesoni2
Revered Legend
‎06-30-2014 06:38 AM

I may have overlooked some conditions. Could you try the updated answer?

0 Karma
Reply

asetyyli
Explorer
‎06-30-2014 06:08 AM

Thanks for the reply. I changed the span to 1d in both places in your example, because I'm intersted in day sized buckets both with _time & user_age. Unfortunately I'm not getting the same total distinct user count as with plain "timechart dc(user) span=1d".

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...