Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is TimeChart assigning values from spanned table?

michaelhaedt
Explorer
‎04-01-2022 12:02 PM

Hello All,

I have a really simple search, while it works, I'd like to do some operations on that data:

 

 

index=xxxx

earliest=-2w@w0 latest=@w6@d+24h

| timechart span=7d count(response_time)

 

 

Output is 

2022-03-13                          3,xxx,xxx

2022-03-20                            3,xxx.xxx

The deal is, I'd really like to have those seperate outputs as variables like Week1 and Week2. This way I could do some operations to see my sites volume week to week change so I can normalize error data. Hopefully this makes sense.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 10:58 AM

Try this query:

index=xxx earliest=-2w@w0 latest=@w6@d+24h
| timechart span=7d count(response_time)
| streamstats count as week_num
| eval Week="Week".week_num | fields - week_num, _time, _span
| transpose header_field="Week"

 

transpose command should be able to do what you are looking for.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-01-2022 11:15 PM

Try this:

index=xxx earliest=-2w@w0 latest=@w6@d+24h
| timechart span=7d count(response_time)
| streamstats count as week_num
| eval Week="Week ".week_num | fields - week_num, _time

 

Kindly accept the answer if it gives resolution.

0 Karma
Reply
Solved! Jump to solution

michaelhaedt
Explorer
‎04-05-2022 07:58 AM

So that gives me a very similar output to what I have, which I need to have variables assigned the count(response_time) of each of the weeks. I like how this solution put it into one search and not an appended search though, very clever, I'd love to know how it works.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 08:58 AM

With streamstats you can assign the numbers to your results and then with eval I'm just appending that number to "Week ".

This works because proper ordering and missing values of _time series will already be handled by timechart command.

0 Karma
Reply
Solved! Jump to solution

michaelhaedt
Explorer
‎04-05-2022 09:05 AM

Thanks for the explanation! I still need a way to assign the counts of Week 1 and 2 to  variables so I can start to manipulate the data.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 09:51 AM
Can you please explain by posting your current output and explain what change you are looking for?
0 Karma
Reply
Solved! Jump to solution

michaelhaedt
Explorer
‎04-05-2022 10:19 AM

Below is my data: I need to be able to assign the data to a variable like Week1Data = 1160516 and Week2Data = 3488119

This seems really easy, but I don't know how to logically address the data in the table to do an Eval 

11160516Week 1
23488119Week 2
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 10:58 AM

Try this query:

index=xxx earliest=-2w@w0 latest=@w6@d+24h
| timechart span=7d count(response_time)
| streamstats count as week_num
| eval Week="Week".week_num | fields - week_num, _time, _span
| transpose header_field="Week"

 

transpose command should be able to do what you are looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...