Moving aggregate graph

wtanaka · ‎08-19-2011

How can I calculate a graph where:

For each point plotted on the graph, the y-axis is a count of the number of distinct values of a certain field in the last 5 minutes.

So if I had an log like this:

hh mm ss

00:00:30 myfield = 'A'

00:01:30 myfield = 'B'

00:02:30 myfield = 'C'

00:03:30 myfield = 'D'

00:04:30 myfield = 'C'

00:05:30 myfield = 'D'

00:06:30 myfield = 'C'

I'd like an output like this (only the counts, not the letters)

00:01:00 => 1 (A)

00:02:00 => 2 (A and B)

00:03:00 => 3 (A, B, C)

00:04:00 => 4 (A, B, C, D)

00:05:00 => 4 (A, B, C, D)

00:06:00 => 3 (B, C, D)

00:07:00 => 2 (C, D)

Is this possible with "concurrency?"

Johnvey · ‎08-19-2011

This is a straightfoward time-based statistical aggregation:

YOUR_SEARCH_HERE | timechart span=1m dc(myfield)

Remember to set the timerange of the search to 'last 5 minutes'.

If you want to see that actual values in its own column:

YOUR_SEARCH_HERE | timechart span=1m dc(myfield) values(myfield)

wtanaka · ‎08-19-2011

I'm trying to construct this moving aggregate graph over a long time frame, for example with a data set that's a year long, instead of 6 minutes long like in my example. Would that mean that I'd just set span=5m instead of 1m?

Moving aggregate graph

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life