I was reading the documentation on per_day
, here: https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timefunctions
In it, the first example is timechart per_day(total)
. What does this do exactly? Does it count the number of events with the field total
for each day, and so generate a single data point for each day (and then plot it versus time)?
It’s the count of events with the field “total” bucketed per day.
Okay, this is very clear. I don't know if it's just me, but the documentation's description "Returns the values of field X" sounds rather different - I was first led to believe somehow the value of the field total
is of concern..when in fact the value doesn't matter at all, only the existence of the field matters.
Wait, how come I see values like 0.0333? Isn't the count supposed to be an integer? Is some kind of division going on here?
So if you have one view in 7 days, per day is 1/7
I see...so the timechart span
matters here.
It’s doing the span for you as far as I can tell