Splunk Search

Timechart Function

chintu30
New Member

I am new to Splunk, so this question might be straight forward! I am looking to create a stacked chart by day.

This is the search that worked for 1 column, I am looking to add many more columns in addition to Mobile, i.e. 720P, 1080P. So the strings are OutputProfile-720P, OutputProfile-1080P. What is the best way to create Time chart with 3 columns and then create a stacked bar chart.

"OutputProfile-Mobile" NOT "Failed" | timechart count(host) as "Mobile"

Thanks very much for your help!
Chintu

Tags (1)
0 Karma

chintu30
New Member

Thanks very much, this was very helpful!

I had just a couple more questions -

  1. For the time range - what is the best way to show the data by month, and the current month's data will update maybe end of every day?
  2. In the above situation - will it run the search every time the dashboard is loaded? or will it store the data for historical data and just load the current data.

Thanks again!

0 Karma

Bubeshkumar
New Member
  1. Convert the current search to summary index search, schedule the search to run every day 1 am or 2 am to get yesterday's data and store it in summary index.

  2. Create another search to get data from the summary index, and in your dashboard do the search with time chart span=1m for year. the search will be faster.

or
Create a Advanced dashboard with time component so that with custom time you can make your search to run.

0 Karma

Bubeshkumar
New Member

Try this,

search "OutputProfile-720P" OR "OutputProfile-1080P" NOT "Failed" | rex "OutputProfile-(?\d+\w{1})"| timechart count by MOBILE_TYPE

0 Karma

Bubeshkumar
New Member

Yes its case sensitive, I dont know some how its not showing my backslash and uppercase were gone i dont know, hopefully this comment displays my search properly...:)

search "OutputProfile-720P" OR "OutputProfile-1080P" NOT "Failed" | rex "OutputProfile-(?\d+\w{1})"| timechart count by mobile_type

0 Karma

lguinn2
Legend

MOBILE_TYPE at the end has to be lower-case, as field names are case-sensitive. You could make that search even more generic with

"OutputProfile-720P" OR "OutputProfile-1080P" OR "OutputProfile-Mobile" NOT "Failed" | rex "OutputProfile-(?\S+)"| timechart count by profile_type

0 Karma

lguinn2
Legend

It's not quite as straight forward as you might think. The timechart command can only accept one 'split by" series, kind of like this

timechart count by field

So you need to create a single field that reflects the type of data. There are lots of ways to do this, but I suggest this as a starting point:

  • Create an eventtype for each profile. For example, run the following search and then save it as an eventtype named "Mobile" ("Create Eventtype" in 4.3)

    "OutputProfile-Mobile" NOT "Failed"

  • After you have created the eventtypes, run the following search

    eventtype=Mobile OR eventtype=P720 OR eventtype=P1080 | timechart count(host) by eventtype

BTW, count(host) actually means "count the number of events that have a value for the host field", and not "count the number of unique hosts." I mention this because it is often a point of confusion.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...