![]() ![]() ![]() what I want to see is a visualization, x-axis starts from to and no data points for most of the x-axis, but at last second(the rightmost) I want to see 10 dots, the y-axis values of them is from 1 to 10. The Splunk timechart command is used to produce the summary statistics table. Let's say the time span is last 24 hours, when running above query in splunk, it will generate 10 records data with the same _time field which is and a rowNumber field with values from 1 to 10. | makeresults count=10 | streamstats count AS rowNumber Update: let me try to describe what I wanted using a data generation example: about / Boolean and grouping operators btool using / Using btool bucket command / Using wizards to build dashboards, Using timechart, Using summary index. (you don't have to use timechart, any command that can achieve my goal will be accepted) A timechart is a statistical aggregation applied to a field to produce a chart, with time used as the X-axis. I need the x-axis to be the time span(time range that I passed in as query timespan), every event will be a data point in that chart, y-axis is the value of a field that I choose, for example, fieldA, which is a double value field. Edit the Status Over Time panel to show a timechart with counts reflecting status codes: SPL> indexmain statustype'statustype' httpuri. 04-04-2012 06:25 PM Here is my search: source'WinEventLog:Security' EventCode540 timechart span1h count by User This gives me the count by hour that users are logging in but I only want the users that are exceeding a threshold like 200 times an hour, so I do this. Splunk Cloud Services SPL2 Search Manual Specifying time spans Download topic as PDF Specifying time spans Some commands include an argument where you can specify a time span, which is used to organize the search results by time increments. Very simple, I don't need any max/min/sum/count at all. My goal is to display a line chart, representing the value of an event field over time. I tried several syntaxes but none is working. 1 Solution Solution DamienDallimor Ultra Champion 04-04-2012 06:53 PM Because the count field is not in the timechart results.The count value is part of the various User fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |