Refine your search:

How do you search results produced from a timechart...by command?

1

I have a query similar to below:

... | timechart span=30s count by host

resulting in output that looks like:

_time hosta hostb 3/12/12 15:10:00 6 0 3/12/12 15:10:30 10 5

From this output I'm only interested in '0' values and would like to report host and time values for those instances. I'm unable to craft a query to get a handle on values in this timechart command. Is there some way to address the count and host values in a subsequent search?

asked 12 Mar '12, 17:25

saltmills's gravatar image

saltmills
11
accept rate: 0%

2 Answers:
oldestnewestmost voted
3

Ok , the untable command after timechart seems to produce the desired output

... | timechart span="30s" count by  host | untable _time host count | where count=0
link

answered 13 Mar '12, 19:47

Damien%20Dallimore's gravatar image

Damien Dalli...
4.5k2313
accept rate: 23%

Nice. That does it! Thanks for help.

(13 Mar '12, 22:50) saltmills

Great! Happy Splunking.

(13 Mar '12, 23:09) Damien Dalli...
1

Try something like :

... | bucket _time span="30s"| stats count by host,_time | where count=0
link

answered 12 Mar '12, 19:45

Damien%20Dallimore's gravatar image

Damien Dalli...
4.5k2313
accept rate: 23%

Thanks for response.

I'm actually using bucket command earlier in the query. However, it will not report a _time value for which no matching events occur, and no count=0 match will ever appear in your final results. By having the timechart command I can at least get count=0 instances appearing in the results along with associated _time and host, but the question is how do I isolate them?

(12 Mar '12, 21:07) saltmills
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×286
×44

Asked: 12 Mar '12, 17:25

Seen: 387 times

Last updated: 13 Mar '12, 23:09

Related questions

Use results from search as input to a lookup

How can you format numbers in a ctable?

Can we disable the inspect link from the search results ??

Extract results from field with ; seperated values

How do you format numbers produced by 'count over'?

How do I get all the values.

Renaming _time field causes an unwanted result

How would I get these results by day

How can you restrict timechart to display only weekdays?

Copyright © 2005-2012 Splunk Inc. All rights reserved.