Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart of a sliding window count

pr0n
Explorer
‎07-10-2019 11:35 AM

I need a timechart that counts the number of distinct fieldx where that fieldx has more than x events in that span/bin.

I hope that makes sense, so sudocode would be something like 

index=blah | stats count by fieldx as blah | where blah>5 |timechart span=1hr count distinct by fieldx

That search obviously doesn't work, I'm not sure how to structure it to get what I want.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2019 01:03 PM

The pseudo-code fails because the stats command eliminated the _time field needed by timechart. Try this alternative:

index = blah | bin span=1h _time | stats count by _time fieldx | where count > 5 | timechart span=1h max(count) by fieldx
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

pr0n
Explorer
‎07-10-2019 01:03 PM

I was able to do this at seems to work correctly

index=asdf fieldx=* | bucket _time span=day  | stats  count by fieldx _time  | where count>2  | timechart distinct_count(fieldx)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2019 01:03 PM

The pseudo-code fails because the stats command eliminated the _time field needed by timechart. Try this alternative:

index = blah | bin span=1h _time | stats count by _time fieldx | where count > 5 | timechart span=1h max(count) by fieldx
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...