- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart count of -30d rolling window
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking to create a timechart of counts for a field where there is one bucket per day, and each bucket spans back 30 days. So the search would return a count for -30d to now, and -31d to -1d, and -32d to -2d, and so on, ideally back to the oldest index entry. I intend to display the counts directly on a line chart and also do some basic evals on the counts (like percentages). The idea is to get a historical snapshot of data from the perspective of each day. I've read some other posts that point to summary indexing as an answer, and that seems like it would solve the problem for future data, but I also have a need to look at historical data right now rather than wait for the summary index to be built to be able to see a trend.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe creating a summary index is the best solution for this scenario. You can backfill the index so that you can use historical data. Somebody may be able to provide a better solution, but this is the method that I've used for similar types of reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe creating a summary index is the best solution for this scenario. You can backfill the index so that you can use historical data. Somebody may be able to provide a better solution, but this is the method that I've used for similar types of reports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick responses. I was able to get the appropriate results using streamstats as you suggested, but without building a summary index. In this scenario, would the purpose of the index be just for performance reasons? Does the data in the summary index persist for a longer time than our (90 day) normal index so we could search the summary of todays data in say, 1 year?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree with sc0tt, it seems you want to show timechart for all data in your index which should be expensive. Have a summary index configured to save data on daily basis (for historical data as well) and then use streamstats to get the rolling count, something like below-
your base search | timechart span=1d count(yourfield) as yourfield | streamstats sum(yourfield) as Count window=30
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
