Solved: What does the "timechart per_day(total)" do in the...

flow2k · ‎02-22-2018

I was reading the documentation on per_day, here: https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timefunctions

In it, the first example is timechart per_day(total). What does this do exactly? Does it count the number of events with the field total for each day, and so generate a single data point for each day (and then plot it versus time)?

jkat54 · ‎02-22-2018

It’s the count of events with the field “total” bucketed per day.

View solution in original post

jkat54 · ‎02-22-2018

It’s the count of events with the field “total” bucketed per day.

flow2k · ‎02-22-2018

Okay, this is very clear. I don't know if it's just me, but the documentation's description "Returns the values of field X" sounds rather different - I was first led to believe somehow the value of the field total is of concern..when in fact the value doesn't matter at all, only the existence of the field matters.

flow2k · ‎02-22-2018

Wait, how come I see values like 0.0333? Isn't the count supposed to be an integer? Is some kind of division going on here?

jkat54 · ‎02-22-2018

So if you have one view in 7 days, per day is 1/7

flow2k · ‎02-22-2018

I see...so the timechart span matters here.

jkat54 · ‎02-22-2018

It’s doing the span for you as far as I can tell

What does the "timechart per_day(total)" do in the Splunk documentation for Time functions?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases