Dashboards & Visualizations

Line Chart with a day wise usage count

zacksoft
Contributor

I want to know how frequently a keyword is found(from the list of events) and see it in a time chart.
This is the search I am using, I am not sure if I am using it correct .
And there is a null line found in the line chart.

host= "HostA" or "HostB" "videostreamed"
| eval view=if(like(_raw,"%videostreamed%"),"Prime_Streamed"
| timechart span=1d count by view

I want to know the amount of events generated with the key word "videostreamed" based on the base-search I have, on a daily basis in a line chart.
Example : if the linechart has a spike on Monday, It should mean more events found with the videostreamed
The more the number of events, the higher is the usage that day.

I hope I am clear with my explanation

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

I think that this alone is good.

host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count

Do you also need a number that does not match?

View solution in original post

0 Karma

woodcock
Esteemed Legend

I think this:

host= "HostA" or "HostB" 
| timechart span=1d count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view

Or, probably you'd like this better:

host= "HostA" or "HostB" 
| bucket _time span=1d 
| stats count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view_time
| eval pct = 100 * Prime_Streamed / count
| timechart span=1d avg(pct) AS pct BY view
0 Karma

ppuru
Path Finder

You may want to consider assigning a number to it.
index=* | eval Text_Found = if(like(_raw,"%GET%"),"1","0") | where Text_Found=1 | timechart span=1m count by Text_Found

0 Karma

HiroshiSatoh
Champion

I think that this alone is good.

host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count

Do you also need a number that does not match?

0 Karma

zacksoft
Contributor

yes, That would help too.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...