time vs repeating data

jdomar · ‎11-01-2013

I would like to set a search timeframe of 1 week and for each day report the subtotals of Items 1, 2 and 3 (the items are the same for each day but the Quantity changes). The output would reflect this as:

2013-11-01.....Item 1.....Quantity

2013-11-01.....Item 2.....Quantity

2013-11-01.....Item 3.....Quantity

2013-11-02.....Item 1.....Quantity

2013-11-02.....Item 2.....Quantity

2013-11-02.....Item 3.....Quantity

2013-11-03.....Item 1.....Quantity

2013-11-03.....Item 2.....Quantity

2013-11-03.....Item 3.....Quantity

etc.
I am able to isolate all of the field data but i am not sure how to structure the search to give the above output.

Any help would be greatly appreciated.

Akita881 · ‎11-01-2013

That work with tweaking. Thank you, Very much!

kristian_kolb · ‎11-01-2013

Hi,

...| bucket _time span=1d | stats sum(Quantity) by Item, _time

Is probably close to what you need, but there are other options, depending on what your data looks like. Other options include;

... | timechart span=1d sum(Quantity) by Item

Hope this helps,

K

time vs repeating data

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms