Splunk Search

graph only cumulative data with timechart and streamstats

bill_bartlett
Path Finder

I've found this on the Splunk wiki that gives great examples on how to graph several sources and their cumulative totals: http://wiki.splunk.com/Community:Search_Report:_How_To_Create_a_Chart_of_Hourly_and_Accumulated_Inde...

Is it possible to use a similar method, but to only graph the cumulative total and not each of the individual sources that make up that total?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Just add a table/fields command to remove other columns.

Query version from Blogpost

index=_internal group="per_index_thruput" earliest=@d latest=@h
   | eval mb=kb/1024
   | timechart span=1h sum(mb) as HourlyTotal by series
   | addtotals fieldname=HourlyTotal
   | streamstats sum(HourlyTotal) AS AccumulatedTOTAL 
   | table _time AccumulatedTOTAL

Another version

  index=_internal group="per_index_thruput" earliest=@d latest=@h
       | eval mb=kb/1024
       | timechart span=1h sum(mb) as HourlyTotal
       | streamstats sum(HourlyTotal) AS AccumulatedTOTAL 
       | table _time AccumulatedTOTAL

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Just add a table/fields command to remove other columns.

Query version from Blogpost

index=_internal group="per_index_thruput" earliest=@d latest=@h
   | eval mb=kb/1024
   | timechart span=1h sum(mb) as HourlyTotal by series
   | addtotals fieldname=HourlyTotal
   | streamstats sum(HourlyTotal) AS AccumulatedTOTAL 
   | table _time AccumulatedTOTAL

Another version

  index=_internal group="per_index_thruput" earliest=@d latest=@h
       | eval mb=kb/1024
       | timechart span=1h sum(mb) as HourlyTotal
       | streamstats sum(HourlyTotal) AS AccumulatedTOTAL 
       | table _time AccumulatedTOTAL

bill_bartlett
Path Finder

Thank you, this is almost perfect. Is there a way to format the time bucket on the chart? As it is now, the format makes for a very ugly chart if graphing more than a handful of columns.

0 Karma

bill_bartlett
Path Finder

I've figured it out. This search works perfect for my needs:

index=_internal group="per_index_thruput" earliest=@d latest=@h
    | eval mb=kb/1024
    | timechart span=1h sum(mb) as HourlyTotal by series
    | addtotals fieldname=HourlyTotal
    | streamstats sum(HourlyTotal) AS AccumulatedTOTAL 
    | table _time AccumulatedTOTAL
    | eval _time=strftime(_time, "%m/%d %H:%M")
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...