Solved: Re: How do i do a timechart by category with indiv...

prakash007 · ‎06-26-2017

index=a host=has 4 hosts
index=b host=has 4 hosts

Can we do a timechart with stacked column, categorizing the hosts by index and having the individual count of the hosts in each stack...??

I am able to do a timechart by category based on this answer, but i am looking for a way if i can do individual counts of each host in a stacked column too..??

https://answers.splunk.com/answers/525574/looking-for-a-search-to-categorize-by-hosts.html

somesoni2 · ‎06-26-2017

Assuming you need output like _time host1 host2 ... total_a total_b , give this a try

your base search 
| bucket span=10m _time    ***assuming you want to bucket time. update as required***
| stats count by _time index host
| appendpipe [| stats sum(count) as count by _time index | eval host="total_".index ]
| timechart span=10m sum(count) by host

View solution in original post

somesoni2 · ‎06-26-2017

Assuming you need output like _time host1 host2 ... total_a total_b , give this a try

your base search 
| bucket span=10m _time    ***assuming you want to bucket time. update as required***
| stats count by _time index host
| appendpipe [| stats sum(count) as count by _time index | eval host="total_".index ]
| timechart span=10m sum(count) by host

prakash007 · ‎06-26-2017

I am almost there, but index A,B Totals and Individuals hosts are on a single stack, is there any way i can do a different stacked columns for each IndexA Total with Individual host counts, Index B Total with individual host counts.?

somesoni2 · ‎06-26-2017

Not sure if that's possible. See if this workaround works for you.

your base search 
 | bucket span=10m _time    
 | stats count by _time index host
 | appendpipe [ | where index="a" | timechart span=10m sum(count) by host | addtotals | rename Total as Total_a | eval keep=1 ]
| appendpipe [ | where index="b" | timechart span=10m sum(count) by host | addtotals | rename Total as Total_b | _time=_time+1 | eval keep=1 ]
 | where keep=1 | sort 0 _time

prakash007 · ‎06-27-2017

This search works fine, i did some chart overlay with the total counts in my case. Thanks..!!

ddrillic · ‎06-26-2017

Are you starting with something like index=a OR index=b | timechart count by host?

prakash007 · ‎06-26-2017

yes, that works fine to get the individual count of the host in the stacked column, + i am also expecting to do a total count by index within the stacked column...??

prakash007 · ‎06-26-2017

This is what i did so far, where i can get the total count by category(index=a and index=b), but i am looking for if there's a way we can do individual counts within this search...

your base search giving fields host, _time
 | ...some logic to get category field there...
 | bucket _time span=10m  ***assuming you want to bucket time. update as required***
 | stats count by _time group host
 | appendpipe [| stats sum(count) as count by _time group | eval 
   group=group."- Total" ]
 | timechart span=10m sum(count) by group

How do i do a timechart by category with individual counts of the hosts..??

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...