Will Splunk do a stacked area chart?  I'm able to get an area chart, but it's not 'stacked' (so each proxy totals to an aggregate).  I'm wondering if splunk can even do that?  I looked at the documentation and it appeared that it could, so I'm hoping maybe I'm just doing something wrong.  Under the 'Visualization" index = "myindex"| bin _time span=5m | stats sum(cs_bytes) as Bytes by proxy_server _time | eval Kbps=(((Bytes*8)/1000)/300) | timechart span=5m list(Kbps) by proxy_server ... View more

Hi all, I have been using Splunk for about 2 days, so am VERY new.  I'm trying to get a utilization number for endpoint analytics. What I would like is a query that can tell me the Kbps (formula below) per User each 5 minutes for whatever timespan dropdown I pick.  I have tried numerous ways to do it and have had no luck.  Is there a way I can get a table maybe?  that will show me the count (or maybe dc) of users each 5 minutes and the avg Kbps per user?   The query below gives me a timechart by src_IP, but it doesn't look right to me, so I'd like a way to verify (hence the table).    index="myIndex"  source="tcp:xxxx" | eval Kbps=(((cs_bytes*8)/1000)/300) | timechart span=5m avg(Kbps) by src_ip   I've tried this to get the table, but it doesn't work - it gives me zero matches   index="myIndex"  source="tcp:xxxx" | bin _time span=5m | dedup src_ip as SrcIP | streamstats sum(cs_bytes) as Bytes by SrcIP | eval Kbps=(((Bytes*8)/1000)/300) | table SrcIP Bytes Kbps   Any guidance is much appreciated! ... View more