Splunk Search

What is being counted in this query?

Justin1224
Communicator

What is being counted in this query? Here it is:

| `tstats` count from datamodel=Authentication by _time span=10m | timechart minspan=10m count

The best I can figure out, it is counting from the datamodel named "Authentication" by the field "_time" in 10 minute increments. However, that doesn't really explain what is being counted. It doesn't specify a field other than _time. And the search would be kind of useless if it only counted in 10 minute intervals with nothing else. Does anyone have any ideas as to what this search is doing?

If it helps, the search was dubbed "Access - Access Over Time"

Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

If not field name is passed ( just count is used and not count(field)), it's counting the number of records from the data source.

The by _time span=10m is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.

The output would be like this

 10 min bucketed _time value ---  count of events from datamodel=Authentication which have _time within range of bucketed _time
 _time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

View solution in original post

somesoni2
Revered Legend

If not field name is passed ( just count is used and not count(field)), it's counting the number of records from the data source.

The by _time span=10m is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.

The output would be like this

 10 min bucketed _time value ---  count of events from datamodel=Authentication which have _time within range of bucketed _time
 _time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

View solution in original post

Justin1224
Communicator

That helps, thank you!

0 Karma

Justin1224
Communicator

So just for clarification, the timechart part at the end is just formatting the data into a timechart right?

0 Karma

inventsekar
Super Champion

Yes, timechart creates a chart/table like this one -

_time----------------------count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

somesoni2
Revered Legend

That is correct...

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!