- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with the following timechart query...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=X sourcetype=X source=X | timechart first(percentage_allocation) as percentage_allocation by devicename
I am facing an issue with the following query, in case, where there are multiple logs with a different variable named "link" and I would like to use that as a data search like :
devicename=a percentage_allocation=1 link=a
devicename=a percentage_allocation=2 link=a
devicename=a percentage_allocation=3 link=b
Above query will look for the first log of percentage_allocation by devicename in that month and show percentage allocation, but i would like to make sure it shows me on a basis of different links as well, but I can't see any option to use any function to get data on a basis of new variable which is "link" in timechart as it allows only BY keyword and OVER is already for time.
Can i use a 3rd variable as a data qualifier?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could use an eval to combine your devicename and link into one field then do a timechart
index=X sourcetype=X source=X
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could use an eval to combine your devicename and link into one field then do a timechart
index=X sourcetype=X source=X
| eval device_link = devicename." - ".link
| timechart first(percentage_allocation) as percentage_allocation by device_link
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works like charm . I didnt knew i can use timechart command like that too . Thanks for help .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can not·
Can you substitute BIN and STATS for example?
index=X sourcetype=X source=X
| bin span=XX _time
| stats first(percentage_allocation) as percentage_allocation by _time,devicename,link
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This stats query doesnt work as i am expecting output in chart .
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
