Re: time vs repeating data

jdomar · ‎11-01-2013

I would like to set a search timeframe of 1 week and for each day report the subtotals of Items 1, 2 and 3 (the items are the same for each day but the Quantity changes). The output would reflect this as:

2013-11-01.....Item 1.....Quantity

2013-11-01.....Item 2.....Quantity

2013-11-01.....Item 3.....Quantity

2013-11-02.....Item 1.....Quantity

2013-11-02.....Item 2.....Quantity

2013-11-02.....Item 3.....Quantity

2013-11-03.....Item 1.....Quantity

2013-11-03.....Item 2.....Quantity

2013-11-03.....Item 3.....Quantity

etc.
I am able to isolate all of the field data but i am not sure how to structure the search to give the above output.

Any help would be greatly appreciated.

Akita881 · ‎11-01-2013

That work with tweaking. Thank you, Very much!

kristian_kolb · ‎11-01-2013

Hi,

...| bucket _time span=1d | stats sum(Quantity) by Item, _time

Is probably close to what you need, but there are other options, depending on what your data looks like. Other options include;

... | timechart span=1d sum(Quantity) by Item

Hope this helps,

K

time vs repeating data

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

time vs repeating data

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!