How would I chart count of field values over time?

a212830 · ‎10-23-2014

Hi,

I have a very ugly data feed, and the customer thinks that they are getting duplicate events, because the event count goes up every so often. I think the issue is that the feed is different every so often, and I want to prove it by charting a specific fields value and count over time (with a 5 minute time span). I have this:

index=euc_vcdata sourcetype=VCSZoneInfo | table _time, SubzoneName which gives me time and the field, but now I want a count of the number of events to go with it.

Is there a way to do this?

somesoni2 · ‎10-23-2014

Try this ( useful when no of distinct values for field SubzoneName is not high (1-50)

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count by SubzoneName

This should give a table with span=5m and count for each value of SubzoneName for those buckets.

jeremiahc4 · ‎10-23-2014

What @ppablo_splunk stated would plot the count of SubZoneName over 5 minute increments regardless of the value of SubZoneName. I think @a212830 is looking for duplicates of the values in SubZoneName during a 5 minute window. Perhaps a transaction command coupled with linecount>1 search would work.

 index=euc_vcdata sourcetype=VCSZoneInfo | transaction maxspan=5m SubZoneName | search linecount>1

ppablo · ‎10-23-2014

Hi @a212830

Are you looking for something like this?

index=euc_vcdata sourcetype=VCSZoneInfo | timechart span=5m count(SubzoneName)

How would I chart count of field values over time?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases