I'm having trouble understanding some portions of my search, I was wondering if someone could help me out.
Here is my search:
| `tstats` count from datamodel=Web by _time,Web.action span=10m | timechart minspan=10m useother=`useother` count by Web.action | `drop_dm_object_name("Web")`
Even after reading the Splunk search reference page for timechart, I still don't really understand what it does. Also, I don't understand what span is doing in the first command and what minspan is doing in the second command. Lastly, I also am unsure of what useother is and what it is doing.
Any help would be appreciated
All these info are from splunk docs only. please check them once again and if still any doubts, let us know.
your query is using data models, i think. if you give us some more info about your query, then only we can understand this query better.
Use the tstats command to perform statistical queries on indexed fields in tsidx files. The indexed fields can be from normal index data, tscollect data, or accelerated data models.
tstats Grouping by _time
You can provide any number of GROUPBY fields. If you are grouping by _time, supply a timespan with span for grouping the time buckets, for example span='1hr' or '3d'. This parameter also supports 'auto'.
timechart minspan - bin-options
Syntax: bins | minspan | span |
Description: Options that you can use to specify discreet bins, or groups, to organize the information. The bin-options set the maximum number of bins, not the target number of bins. See the Bin options section in this topic.
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range.
useother - Syntax: useother=
Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the .
Thanks for the help! One thing I don't understand is that useother is supposed to have an = following it correct? So why does the useother in my query have a macro following it? Isn't it just supposed to be either =T or =F?
And unfortunately I don't have any more information about the query, other than the query itself.
Also, I get that the 'by time' is grouping by the field 'time', but what is the 'Web.action' directly following it doing? Also, the span=10m groups by the field _time for every 10 minute, correct? If that's the case, when does it stop grouping? There's millions of different 10 minute periods within a few years time, there's no way it can aggregate by each of those.
Lastly, I don't understand the description for what timechart minspan does. Could you try to describe it in simpler terms?
Thank you for your help
The useother accepts either t or f (and true or false). Your splunk developer has probably wrote a macro to globally control which value should be used for all the searches (t or f). The macro should be just replacing t OR f value there based on what's has been set.
If you see multiple fields in the by clause, separated by comma or space, the grouping is done by all the fields (order of grouping is defined by the order in which they're specified). The span=10 will update the value of _time into buckets of 10 min ( all events from 00:00:00 to 00:09:59 will get grouped into 00:0:00, all events from 00:10:00 to 00:19:59 will get grouped into 00:10:00 etc).
Splunk can aggregate billions. 🙂
Thank you for helping somesoni2.
So it is grouping by the field _time and then aggregating those results by the field action? I'm unsure of what is being counted here. From what I understand it is saying it counts from the data model node that is called "Web" and aggregates these results first by _time field and then by action field. Which means it is performing this count for each 10 minute period and then performs that aggregation for each instance of the field action. I don't think my understanding there is correct. That seems like there would be a ridiculous number of results. Also, I'm completely lost as to what the second command does.
I guess my questions are: Do I have that description for the first command right, what does the second command do, and what is the first command counting.
Thank you for helping
Assume your datamodel has data like this
_time action someotherfield 09/22/2016 00:00 action1 blah 09/22/2016 04:00 action2 blah 09/22/2016 11:00 action1 blah 09/22/2016 12:00 action1 blah 09/22/2016 14:00 action3 blah 09/22/2016 22:00 action1 blah 09/22/2016 44:00 action2 blah 09/22/2016 59:00 action3 blah
count from datamodel=Web by _time,Web.action span=10m will give output like this. (time put into 10 min bucket and count is calculated for unique combination of bucketed time and action).
_time action count 09/22/2016 00:00 action1 1 09/22/2016 00:00 action2 1 09/22/2016 10:00 action1 2 09/22/2016 10:00 action3 1 09/22/2016 20:00 action1 1 09/22/2016 40:00 action2 1 09/22/2016 50:00 action3 1
The output is good for plotting is chart but the , they wanted to have separate series/y-axis value for each action, so the next command is used.
| timechart minspan=10m useother=`useother` count by Web.action
_time action1 action2 action3 09/22/2016 00:00 1 1 0 09/22/2016 10:00 2 0 1 09/22/2016 20:00 1 0 0 09/22/2016 40:00 0 1 0 09/22/2016 50:00 0 0 1
Hey somesoni2, just to clarify, regarding Web.action, is "action" a field here? And is "Web" a parent node?
Sorry to keep bothering you on this question but why is there a minspan=10min the second command? Isn't the span=10m in the first command already separating the time into 10 minute buckets? So why have a minspan=10m? And is useother what's making the table have three different columns?