- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How do i get the sum of data from the latest t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i get the sum of data from the latest timestamp
Hello,
I have a peculiar question:
Below is sample data:
| _time | data storage name | Size of data storage |
| 2023-04-30T00:31:00.000 | data_storage_1 | 10 |
| 2023-04-30T00:31:00.000 | data_storage_2 | 15 |
| 2023-04-30T12:31:00.000 | data_storage_1 | 15 |
| 2023-04-30T12:31:00.000 | data_storage_2 | 20 |
| 2023-05-01T00:31:00.000 | data_storage_1 | 20 |
| 2023-05-01T00:31:00.000 | data_storage_2 | 30 |
| 2023-05-01T12:31:00.000 | data_storage_1 | 30 |
| 2023-05-01T12:31:00.000 | data_storage_2 | 40 |
| 2023-05-02T00:31:00.000 | data_storage_1 | 40 |
| 2023-05-02T00:31:00.000 | data_storage_2 | 50 |
| 2023-05-02T12:31:00.000 | data_storage_1 | 50 |
| 2023-05-02T12:31:00.000 | data_storage_2 | 50 |
How do i go about getting the the sum of all storages per time frame?
Example of output:
Time Total Storage
04/30 00:31 -> 25
04/30 12:31 -> 35
05/01 00:31 -> 50
05/01 12:31 -> 70
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried something like
| stats sum(storage) by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I think i got what i needed:
| stats sum(Size of data storage) by _time, "data storage name"Adding Bin added a layer of unnecessary sum of the values. I tried a | bin span=12h _time .
Also, I was not able to get the visual correctly with the differentiated colors, had to use the trellis option, and that helped split my graph into 2 different graphs. For now, i can make due with that.
But in theory, it should've split it in to different colors on the column chart, one for each data storage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did look into the bin command a bit further and It did help, thanks again! Needed to timechart my data for the latest data of that day as it kept growing and data points were just snapshots of the storage of that day.
Final code:
| bin _time span=12h
| stats latest(<storage size>) as <storage size> by _time data_storage
| timechart span=12h sum(<storage size>) by data_storage
For the requirement I needed, I just needed to do bin = 1d and span=1d to get daily data trend for the past year of data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to add
You could also use | timechart and work with the bin parameter to group events by time ranges.
If you still wants to work with stats you can call the | bin command.
see first example on this docs https://docs.splunk.com/Documentation/SCS/current/SearchReference/BinCommandExamples
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
