Splunk Search

How to create a timechart showing how many unique FieldA were created in the last 7 days and the total number of unique FieldA?

jaimini1414
New Member

Hi all,

I am new to splunk and I am trying to form a timechart for my following question:

How many unique entityx were created in last 7 days and what's the total number of unique entityx?

To do this, here is what I am doing

index=* host=* `logRecordType(entityx) | timechart dc(entityx) AS "Number of Unique Unique"

But how do I add the total number of unique entityx in my chart......!!!!!

Tags (3)
0 Karma
1 Solution

stephane_cyrill
Builder

HI try this:
...... | timechart span=7d values(entityx) AS values dc(entityx) AS
"Number of Unique Unique"

If you need only for the last 7 days:

... | timechart span=7d values(entityx) AS values dc(entityx) AS
"Number of Unique Unique" |head 1

View solution in original post

stephane_cyrill
Builder

HI try this:
...... | timechart span=7d values(entityx) AS values dc(entityx) AS
"Number of Unique Unique"

If you need only for the last 7 days:

... | timechart span=7d values(entityx) AS values dc(entityx) AS
"Number of Unique Unique" |head 1

stephane_cyrill
Builder

jaimini1414, I'm happy to see that you are satisfy.

I also see that you accepted. BUT MY KARMA HISTORY SHOWS A Down VOTE from you.Why?

0 Karma

jaimini1414
New Member

Hey thanks for your respond...But I would like to have the total number of unique ones....i still dont see it.

I dont mind seeing the total in the legends as well...But still no I dont see that...

0 Karma

stephane_cyrill
Builder

I don"t understand you very well, assuming that you have many "Number of Unique Unique" , do you want thier total ? if it is the case , remove head and do :

......|addtotals fieldname="Number of Unique Unique"

jaimini1414
New Member

This worked...Thankss...!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...