Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: graph only cumulative data with timechart and ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
11:58 AM
I've found this on the Splunk wiki that gives great examples on how to graph several sources and their cumulative totals: http://wiki.splunk.com/Community:Search_Report:_How_To_Create_a_Chart_of_Hourly_and_Accumulated_Inde...
Is it possible to use a similar method, but to only graph the cumulative total and not each of the individual sources that make up that total?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-09-2015
12:37 PM
Just add a table/fields command to remove other columns.
Query version from Blogpost
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
Another version
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-09-2015
12:37 PM
Just add a table/fields command to remove other columns.
Query version from Blogpost
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
Another version
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
12:50 PM
Thank you, this is almost perfect. Is there a way to format the time bucket on the chart? As it is now, the format makes for a very ugly chart if graphing more than a handful of columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bill_bartlett
Path Finder
03-09-2015
01:00 PM
I've figured it out. This search works perfect for my needs:
index=_internal group="per_index_thruput" earliest=@d latest=@h
| eval mb=kb/1024
| timechart span=1h sum(mb) as HourlyTotal by series
| addtotals fieldname=HourlyTotal
| streamstats sum(HourlyTotal) AS AccumulatedTOTAL
| table _time AccumulatedTOTAL
| eval _time=strftime(_time, "%m/%d %H:%M")
Get Updates on the Splunk Community!
Changes to Splunk Instructor-Led Training Completion Criteria
We’re excited to share an update to our instructor-led training program that enhances the learning experience ...
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
