chart on basis on time

LauraBre · ‎05-16-2012

Hello,

This is my search :

tag::source="TokenizerWatchdogSplunk" Service_Type="*" | eval series=case(Service_Type="T2D","detok",Service_Type="D2T","tok")|chart count by Requester, series

I have the number of tok and detok by requester in column. I want to have the same thing on basis on the time. How can I do it? If I add a field '_time' behind the last series, Splunk returns me an error.

Thanks by advance.

LauraBre · ‎05-16-2012

Ok, thanks. But how can do to have the time in dynamic. I want that in the dashboard, the users can change the time scale. Can't show two things one a same axis????

Ayn · ‎05-16-2012

If you don't specify a span argument to bucket it will choose an appropriate span itself, which might result in the behaviour you want.

Damien_Dallimor · ‎05-16-2012

Here is one potential approach. Bucket up your results based on _time, as in the below example, into 1 hour buckets.Adjust the span value to adjust the bucket duration you want.

tag::source="TokenizerWatchdogSplunk" Service_Type="*" | eval series=case(Service_Type="T2D","detok",Service_Type="D2T","tok")| bucket _time span=1h | stats count by Requester series _time

chart on basis on time

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

chart on basis on time

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem