Note for those that are trying to use 'trellis.name' or 'trellis.value'. It doesn't work at the moment (Splunk 7.0.2). ... View more

Hi, The search I posted is meant as an example that you should adapt to your needs. The main idea is: Use a single time period instead of sub-searches. (sorry it wasn't clear as I replied to you in two different comments) For your search I'm recommending using an existing report from the Monitoring Console like "DMC License Usage Data Cube". You can activate report acceleration and instead of using "tstats" use "savedsearch" command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/savedsearch ). Also you could remove weekends from your results using date_wday field as search criteria if you want. Cheers, Stéphane ... View more

Btw you could use percentiles (perc eval function) instead of calculating percentages to filter the result. But I believe calculating percentages on standard deviations is unnecessary, isn't it? ... View more

@3no Example using 'tstats' but it works with normal search also. The goal is to count number of events per hour between now and yesterday but display yesterday results as an overlay of todays' (you can change the time period if you want). 'addinfo' gets Search infos as result fields. I get "latest" value with it (info_max_time). 'eval' modifies "_time" when "date_wday" doesn't match "info_max_time" weekday. The modification is about settings all "_time" on a "one day" time period (info_max_time day). If my explanation doesn't make sens please don't hesitate to tell me, I'll try to rephrase. | tstats count WHERE host=127.0.0.1 earliest=-1d latest=now BY _time, date_wday span=1h | addinfo | eval _time=if(match(date_wday, lower(strftime(info_max_time, "%A"))), _time, relative_time(info_max_time, "@d")+(_time-relative_time(_time, "@d"))) | timechart max(count) by date_wday fixedrange=f Cheers, ... View more

You could start your search using "tstats" instead (docs.splunk.com/Documentation/Splunk/latest/SearchReference/tstats ). Example: | tstats count by _time, host span=4h | streamstats stdev(count) by host window=4 ... View more

Hi, You should avoid using "join" command. It's not very efficient. Instead you can search on the whole time period (earliest=-3d latest=now), categorise events based on date_* fields, do the stats and then for display purposes modify _time for -3d events to match @d timeline (I'll show an example in main thread). Also license_usage.log and metrics.log are used in the Monitoring Console within several existing reports. You could activate acceleration on those reports and base your search on their results (using "savedsearch" command). Cheers, ... View more

@magnew Hi, indeed "forward compatibility". I made the visualization using Splunk 6.5 Viz API and to fix the issue I switched to Splunk 6.4 Viz API. Splunk 6.4 Viz API is compatible with Splunk 6.5 as expected. ... View more