i have the following query that query's for a value data for a given label data pair. The query runs fine but it adds the value as rows.
source=… labelData!="" AND ("labelDataValue= " OR labelDataValue!="")
| eval label=if(isnull(labelDataValue),"no-value","value-present")
| stats count by label
output:
label count
--------------------
no-value 100
value-present 500
I'd like to get to this output so that I can eventually roll this query into a daily volume chart so that I can use a stacked chart displaying "no-value" and "value-present" on top of eachother.....so I would need output like this?
time no-value value-present
------------------------------------------------
2/11/14 6:00:00.000 PM 100 500
2/12/14 6:00:00.000 PM 105 510
. . .
Is this good? Please change "_time".
source=… labelData!="" AND ("labelDataValue= " OR labelDataValue!="")
| eval label=if(isnull(labelDataValue),"no-value","value-present")
| stats count(eval(label="no-value")) as "no-value",count(eval(label="value-present")) as "value-present" by _time
Is this good? Please change "_time".
source=… labelData!="" AND ("labelDataValue= " OR labelDataValue!="")
| eval label=if(isnull(labelDataValue),"no-value","value-present")
| stats count(eval(label="no-value")) as "no-value",count(eval(label="value-present")) as "value-present" by _time
It is an example of using the _time.
source=… labelData!="" AND ("labelDataValue= " OR labelDataValue!="")
| eval label=if(isnull(labelDataValue),"no-value","value-present")
| timechart span=d count(eval(label="no-value")) as "no-value",count(eval(label="value-present")) as "value-present"
thanks...this works beautifully! QQ: what would I change "by _time" to if i wanted data counted up in 24hr chunks? When I tested my query i took the "by _time" out and was just running as "Last 15minutes" per splunk's main query interface (green) button.