chart on basis on time

LauraBre · ‎05-16-2012

Hello,

This is my search :

tag::source="TokenizerWatchdogSplunk" Service_Type="*" | eval series=case(Service_Type="T2D","detok",Service_Type="D2T","tok")|chart count by Requester, series

I have the number of tok and detok by requester in column. I want to have the same thing on basis on the time. How can I do it? If I add a field '_time' behind the last series, Splunk returns me an error.

Thanks by advance.

LauraBre · ‎05-16-2012

Ok, thanks. But how can do to have the time in dynamic. I want that in the dashboard, the users can change the time scale. Can't show two things one a same axis????

Ayn · ‎05-16-2012

If you don't specify a span argument to bucket it will choose an appropriate span itself, which might result in the behaviour you want.

Damien_Dallimor · ‎05-16-2012

Here is one potential approach. Bucket up your results based on _time, as in the below example, into 1 hour buckets.Adjust the span value to adjust the bucket duration you want.

tag::source="TokenizerWatchdogSplunk" Service_Type="*" | eval series=case(Service_Type="T2D","detok",Service_Type="D2T","tok")| bucket _time span=1h | stats count by Requester series _time

chart on basis on time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life