Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bucket:ed stats

carlpett
Engager
‎02-07-2013 01:36 AM

Our error logs are indexed by splunk, and I would like to pull some statistics from this. I want something like an aggregated count from each log source, bucket:ed into say 10 minute intervals, reported by the last 60 minutes.

For instance, something like this

Logging source | 60 minutes | 50 minutes | 40 minutes | 30 minutes | 20 minutes | 10 minutes
Method 1       | 5          | 6          | 10         | 2          | 4          | 8
Method 2       | 7          | 2          | 0          | 3          | 1          | 4
Method 3       | 51         | 30         | 34         | 62         | 41         | 28

I can't quite get my head around how to formulate this query though. I tried this:

index=...etc... | bucket _time span=10m | stats count by _time,LogSource | table count, LogSource, _time

Which is sort of "transposed" from what I really want, it's formatted like this instead:

_time                  | Count | LogSource 
2/7/13 9:50:00.000 AM  | 4     | Method 1
2/7/13 9:20:00.000 AM  | 10    | Method 1
2/7/13 9:20:00.000 AM  | 34    | Method 3
2/7/13 9:40:00.000 AM  | 2     | Method 2
2/7/13 10:00:00.000 AM | 8     | Method 1
2/7/13 9:40:00.000 AM  | 30    | Method 3

How can I turn this into the query I want?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2013 02:10 AM

Try this instead of your stats | table:

... | chart count over LogSource by _time

To get the X minutes you may want to eval yourself a new field with the time differences.

View solution in original post

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎02-07-2013 02:15 AM

You can transpose such results with "xyseries", but probably you will have to transform the _time column to something ad-hoc. E.g. 

index=...etc... 
| bucket _time span=10m 
| stats count by _time, LogSource 
| table count, LogSource, _time
| convert(_time) as time timeformat="%H_%M"
| xyseries LogSource time count
0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2013 02:10 AM

Try this instead of your stats | table:

... | chart count over LogSource by _time

To get the X minutes you may want to eval yourself a new field with the time differences.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...