Splunk Search

How edit my search to get a chart of bin counts over time?

viraptor
New Member

I'd like to create a chart of bin counts over time (with a span defined). Right now, I can get the result over the whole time period using:

... | stats count by clientip | bin count as bins | stats count by bins

How can I change this to get a chart of bin counts over time?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Is this what you're looking for?

... | timechart distinctcount(bin)

Or

... | timechart count(bin)

Maybe

... | streamstats count(bin) as bincount by clientip _time | timechart bincount by clientip

Or

... | timechart span=1w count by clientip

0 Karma

niketn
Legend

@viraptor... You would need to retain the _time field after your first stats command runs. So you can use min(_time) or max(_time) function to retain the same and pass that on to timechart to plot count of bins over _time.

| stats count min(_time) as _time by clientip 
| bin count as bins 
| timechart count by bins
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

viraptor
New Member

That's not really what I'm after. This will give me the time of the first request for a given clientip. It may approximate what I'm after, but the difference matters in my case. I want the results analysed for each (for example) 15 min span separately.

0 Karma

niketn
Legend

Are you looking for somthing like the following?

 | stats count min(_time) as _time max(_time) as MaxTime by clientip 
 | eval duration=MaxTime-_time 
 | bin count as bins 
 | table _time bins duration

You might need to post-process and show duration via Timeline visualization and count via simple timechart.

Anyways. Let me also convert my Answer to comment so that others can pitch in with their answers/opinions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...