Splunk Search

Make chart value ranges and show the number of hits in that range

enkoma
Engager

I have a database with two values (time and fees). It shows the fees that someone pays and the time in seconds each transactions take to validate. representing it is a simple bar chart like

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 | chart avg(Fee) by time

I would like to represent time ranges, as I have several times for each transaction and it's difficult to represent in a bar chart, e.g the field time defined as groups of 100 (0-100, 101-200, 201-301 and so on).

If there is a way, I would also like to represent the number of transactions (number of rows) is used in each time and represent it in the same chart, in line mode. for example having in the range of 0-100 an average value of 25 fee (which is showed as the first column with 25 in heigh in the y-axis) and, let's say, a point in 200 (with a new Y-axis) which represents the number of rows used to obtain the column.

Can anybody help with this? this should be very simple by I'm start working with spunk.

Thank you very much !!

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Why not

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 | timechart avg(Fee) span=15m

where you can make the span any time range that you like?

(Although if you make a huge number of small time ranges, there won't be enough pixels for Splunk to graph it! You will get a warning - and no graph.)

Or, since your data may not have a timestamp

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 
| bucket time span=15m | chart avg(Fee) by time

This assumes that the time field is in Linux epoch time. If it is not, you can convert it:

eval time=strptime(time,"%Y-%m-%d %H:%M:%S")

for example, but your time format could be different.

View solution in original post

lguinn2
Legend

Why not

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 | timechart avg(Fee) span=15m

where you can make the span any time range that you like?

(Although if you make a huge number of small time ranges, there won't be enough pixels for Splunk to graph it! You will get a warning - and no graph.)

Or, since your data may not have a timestamp

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 
| bucket time span=15m | chart avg(Fee) by time

This assumes that the time field is in Linux epoch time. If it is not, you can convert it:

eval time=strptime(time,"%Y-%m-%d %H:%M:%S")

for example, but your time format could be different.

enkoma
Engager

despite it's not really a time chart because I'm just trying to pair the number of seconds a transactions takes long, the bucket time span=100s works for me and now the chart is grouping it, so it's a perfect solution, thank you very much !!

0 Karma

enkoma
Engager

For adding the second chart I can ask myself with:

source="dbmon-dump://Bitcoin/Transactions" | eval Fee=fee/1000 | chart avg(Fee) count by time

this gets something like the chart I'm looking for but still missing how to make ranges for the "time" field

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...