- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to timechart by multiple time spans in a d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want two charts in a dashboard - the count of an event by week and by day. Currently I have two scheduled searches:
Daily: | timechart span=1d count
Weekly: | timechart span=1w count
Is there a way that I can use the output of the daily search to do the aggregation? Something like
|loadjob savedsearch="Daily Query"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you could... give a try creating your saved search, something like this:
index="bla" "your search" | bucket bin=1d _time | stats count by _time
Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count
Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.
Hope it helps...
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @alchang
Just following up with this post, but did @musskopf's answer and comment below fully answer your question? If yes, don't forget to resolve this post by clicking "Accept" directly below the answer. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you could... give a try creating your saved search, something like this:
index="bla" "your search" | bucket bin=1d _time | stats count by _time
Your saved search will endup with a stats by day. After that you could use the loadjob from that scheduled search use the timechart, like you mentioned:
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count
Just pay attention as you're already aggredating data in your first stats, the timechart function would be sum() for this example. The same would work if you use span=1d... and you still can keep the sum() as being the aggregating function.
Hope it helps...
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! A related feature I'd like to add is let's suppose that I have daily for the past 30 days, but I want to just add up the weekly for the past two weeks. I tried
| loadjob savedsearch="Daily Query" | timechart span=1w sum(count) as count | where _time>"2015-02-17" and that didn't do anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't have any Splunk instance in front of me to test, but the "_time" is actually in seconds, Splunk only has a macro that converts to a readable format if the field name is "_time", so it should looks more like:
| loadjob savedsearch="Daily Query" | where _time>(strptime("2015-02-17", "%F")) | timechart span=1w sum(count) as count
The strptime converts a humam format to timestamp (epoch). Have a look here to see the formats it accepts: http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Commontimeformatvariables
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
