Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a single value timechart after stats...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alc2019
New Member
03-13-2019
12:25 PM
Hi,
I'm doing a device count based on device latest time event registration. I'm getting the correct device registration count here on a single value (ex. 1000 count) filed but with no trending:
index.... ... earliest=-1mon
| stats count latest(_time) as last_update by device_name EventType
| search EventType="Registered"
| stats count(device_name) as Device_Count by last_update
I would like create a single value visualization to show trend of device registration compared to 2 weeks ago count. I tried the following but I'm not getting the same count as my device registration.
index.... ... earliest=-1mon
| stats count latest(_time) as last_update by device_name EventType _time
| search EventType="Registered"
| stats count(device_name) as Device_Count by last_update
| timechart span=2w count(Device_Count)
How can I fix this to show trend of the correct count of registered devices compared to 2-weeks ago?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-14-2019
03:56 AM
@alc2019,
Try
index.... ... earliest=-1mon EventType="Registered"
| timechart span=2w count(device_name) as device_count
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-14-2019
03:56 AM
@alc2019,
Try
index.... ... earliest=-1mon EventType="Registered"
| timechart span=2w count(device_name) as device_count
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alc2019
New Member
03-14-2019
07:34 AM
Hi Renjith,
Thanks for the help but it will not work on my case as those devices register multiple times in a day and I have to count the registration based on their latest registration time.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-14-2019
07:39 AM
@alc2019,
What about
index.... ... earliest=-1mon EventType="Registered"
|stats latest(_time) as _time by device_name
| timechart span=2w count(device_name) as device_count
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alc2019
New Member
03-14-2019
08:40 PM
Perfect - works!
Thank you
Get Updates on the Splunk Community!
.conf24 | Day 0
Hello Splunk Community!
My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...
Troubleshooting the OpenTelemetry Collector
In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...
