Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- graph only cumulative data with timechart and stre...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
11:58 AM
I've found this on the Splunk wiki that gives great examples on how to graph several sources and their cumulative totals: http://wiki.splunk.com/Community:Search_Report:_How_To_Create_a_Chart_of_Hourly_and_Accumulated_Inde...
Is it possible to use a similar method, but to only graph the cumulative total and not each of the individual sources that make up that total?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-09-2015
12:37 PM
Just add a table/fields command to remove other columns.
Query version from Blogpost
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
Another version
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-09-2015
12:37 PM
Just add a table/fields command to remove other columns.
Query version from Blogpost
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
Another version
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
12:50 PM
Thank you, this is almost perfect. Is there a way to format the time bucket on the chart? As it is now, the format makes for a very ugly chart if graphing more than a handful of columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
01:00 PM
I've figured it out. This search works perfect for my needs:
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
| eval _time=strftime(_time, "%m/%d %H:%M")
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
