Splunk Search

What is being counted in this query?

Justin1224
Communicator

What is being counted in this query? Here it is:

| `tstats` count from datamodel=Authentication by _time span=10m | timechart minspan=10m count

The best I can figure out, it is counting from the datamodel named "Authentication" by the field "_time" in 10 minute increments. However, that doesn't really explain what is being counted. It doesn't specify a field other than _time. And the search would be kind of useless if it only counted in 10 minute intervals with nothing else. Does anyone have any ideas as to what this search is doing?

If it helps, the search was dubbed "Access - Access Over Time"

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

If not field name is passed ( just count is used and not count(field)), it's counting the number of records from the data source.

The by _time span=10m is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.

The output would be like this

 10 min bucketed _time value ---  count of events from datamodel=Authentication which have _time within range of bucketed _time
 _time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

If not field name is passed ( just count is used and not count(field)), it's counting the number of records from the data source.

The by _time span=10m is causing _time field to be bucket with 10 min section , e.g. 10/14/2016 00:00, 10/14/2016 00:10, 10/14/2016 00:20...., and then count (of result which falls under that _time bucket) is done for each bucket value of _time.

The output would be like this

 10 min bucketed _time value ---  count of events from datamodel=Authentication which have _time within range of bucketed _time
 _time-----count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

Justin1224
Communicator

That helps, thank you!

0 Karma

Justin1224
Communicator

So just for clarification, the timechart part at the end is just formatting the data into a timechart right?

0 Karma

inventsekar
Ultra Champion

Yes, timechart creates a chart/table like this one -

_time----------------------count
10/14/2016 00:00 ---- xxx
10/14/2016 00:10----yyyy
10/14/2016 00:20 --- zzzz

somesoni2
SplunkTrust
SplunkTrust

That is correct...

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...