- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart as VS Timechart by
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart as VS Timechart by
Over the last 3 days I was trying to create dashboard with single value + trends.
The query was something like this:
- | dedup 1 src | timechart count by src
The goal was to get total number of src based on dashboard time range (before talking about the trends).
right now, by mistake (must be honest), I changed the query so I replaced the word by with as and it seems to work but not perfectly - when I change the time range to all time i expect to see all events but I get only one of them (although there are 5 events in results):
Can someone please tell me why I got confused and to translate my goal above into query correctly for next time?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are looking for the total number of different srcs in any given time period, then use this
| timechart dc(src)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DalJeanis
next to events tab I still see 5 but when I visualize it using single value, I see only 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @shayhibah,
so what you are doing with your first search will split the timechart count by your Source IP.
So you basically count e.g. every hour how many Source IPs have been seen and split this value by each unique Source IP.
When using AS or as instead of by you are renaming the count field as "src"
You are now creating a count of all the Source IPs that where seen in e.g. an hour over time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pyro_wood
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With "by src" you have 1 result per event, it's not one value.
With "as src" you have 1 "count" result renamed in "src".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@andreacorvini
Thank you for the clarification, but if so, I see 5 events but when I visualize it using single value - I see only 1 instead of 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| timechart count as src is the right code (count of "src" events renamed in "src").
If you use "count by src" and you have deduplicated "by src" in the previous action, you can have always 1 as result (1 event per "src").
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you see 1 "count" field with value=5. No?
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
