Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get 1 row per bucket in a timechart

Splunkster45
Communicator
‎04-24-2015 11:58 AM

Currently, a log file is being written to every 5 minutes that displays each user logged in at that specific point in time.

If I have
5 users on at 13:01
6 users on at 13:06
7 users on at 13:11
8 users on at 13:16
5 users on at 13:21
7 users on at 13:26

I'd like to see one row output corresponding to 1:00 with a value of 8.

When I run this command

     ...| timechart distinct_count(user)  | bucket _time span=30m | makecontinuous _time span=30m

The 6 rows previously mentioned are still there, but their timestamp has been bucketed to 13:00. How do I get 1 row per bucket (half hour) with a value corresponding to the max of the values in that row.

Thanks and have a great weekend!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-26-2015 06:08 PM

timechart already invokes makecontinuous internally and it also invokes bucket _time. So you would only need those if you wanted to use stats for some reason (and there are many reasons, but none required to get what you want)

What your asking for (bucketing one row per 30 minute bucket) would be what timechart dc(user) span=30m produces. is there something about that output that isn't what you want?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Reply
Solved! Jump to solution
Solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-26-2015 06:08 PM

timechart already invokes makecontinuous internally and it also invokes bucket _time. So you would only need those if you wanted to use stats for some reason (and there are many reasons, but none required to get what you want)

What your asking for (bucketing one row per 30 minute bucket) would be what timechart dc(user) span=30m produces. is there something about that output that isn't what you want?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Reply
Solved! Jump to solution

Splunkster45
Communicator
‎04-27-2015 09:41 AM

Thanks for pointing this out. I looked this again today and it is doing exactly what you said and what I want. Funny things start to happen when you stare at a screen too long on a Friday.

I didn't know that about timechart. I think I used stats before needed those commands. Sure enough, when I got rid of makecontinuous, it didn't change the visualization. timechart dc(user) span=30m makes my search string look much cleaner.

Thanks again!

Reply
Solved! Jump to solution

rsennett_splunk
Splunk Employee
Splunk Employee
‎04-27-2015 09:50 AM

Awesome! Glad it was a simple solution. Sometimes all it does take... as another pair of eyeballs. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...