Splunk Search

What does the "timechart per_day(total)" do in the Splunk documentation for Time functions?

flow2k
Explorer

I was reading the documentation on per_day, here: https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timefunctions

In it, the first example is timechart per_day(total). What does this do exactly? Does it count the number of events with the field total for each day, and so generate a single data point for each day (and then plot it versus time)?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

It’s the count of events with the field “total” bucketed per day.

View solution in original post

jkat54
SplunkTrust
SplunkTrust

It’s the count of events with the field “total” bucketed per day.

flow2k
Explorer

Okay, this is very clear. I don't know if it's just me, but the documentation's description "Returns the values of field X" sounds rather different - I was first led to believe somehow the value of the field total is of concern..when in fact the value doesn't matter at all, only the existence of the field matters.

0 Karma

flow2k
Explorer

Wait, how come I see values like 0.0333? Isn't the count supposed to be an integer? Is some kind of division going on here?

0 Karma

jkat54
SplunkTrust
SplunkTrust

So if you have one view in 7 days, per day is 1/7

0 Karma

flow2k
Explorer

I see...so the timechart span matters here.

0 Karma

jkat54
SplunkTrust
SplunkTrust

It’s doing the span for you as far as I can tell

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...