×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
zachary_hickman
Explorer
Member since: ‎05-07-2013
‎06-05-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎05-07-2013
Activity Feed
View All

Re: Success/Failure sum for each day

by Splunk Employee in Dashboards & Visualizations
‎06-21-2013 07:50 AM
‎06-21-2013 07:50 AM
I don't think this gives you what you want, but it's a couple steps away: ... | bin _time span=1d | stats sum(success) as success sum(failure) as failure by _time,field1 or ... | timechart span=1d sum(success) as s sum(failure) as f by field1 This gives you the data you want, but I think that unfortunately the default Splunk charting capabilities don't let you display the data in the way you want. Specifically, the timechart will only really graph 3 dimensions well (time, count of success/failure, and series/field1) and you really want it to show 4 dimensions (time, count, series/field1, success/failure). More simply, it won't let you create more than one stack per time interval, and you want two of them. Now, you can do some dirty trick to try to fake this by coding success/failure inside of time, e.g.: ... | bucket _time span=1d | stats sum(success) as s sum(failure) as f by _time,field1 | eval v=mvappend(s,f) | mvexpand v | eval _time=if(v=s,_time,relative_time(_time,"+12h") | timechart span=12h sum(v) as v by field1 which would kind of look right, but the data would be screwy. ... View more

Re: How can I make a timechart from the following ...

by SplunkTrust in Splunk Search
‎05-16-2013 06:22 AM
‎05-16-2013 06:22 AM
Then the next step would be to get those fields extracted, see http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles for reference. ... View more

Re: Correct REGEX for separating TIMESTAMP - val1;...

by Splunk Employee in Splunk Search
‎05-15-2013 11:41 AM
‎05-15-2013 11:41 AM
I think what you are looking for is to use the line breaker to break up the events. http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Indexmulti-lineevents The problem is that when you break up the line, it may not maintain the time stamp as Splunk will look for another timestamp after the break. So this might be less than ideal depending on what you are looking to do with your data. It might be better to reformat the source data to have a timestamp with each key value pair. Otherwise, you may want to take a look at the search language to provide you with different ways to format your data from values in a single event. ... View more

Re: Formatting a Search for a Stacked Bar Graph

by Splunk Employee in Splunk Search
‎05-14-2013 07:21 AM
‎05-14-2013 07:21 AM
I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields. <your search> | bucket _time span=1d |stats count(Count) by userAgent ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All