Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Graphing off Tstats - total mental block

aymonfoa
Engager
‎12-04-2023 08:42 AM

Got a search like this (I've obfuscated it a bit)

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")

Got a great looking stats table - and Im really pleased with the performance of tstats - awesome.

I want to graph the results... easy right?  well no - I cannot for the life of me seem to break down a say, 60 minute span down by host, despite the fact I got this awesome oven ready totally graphable stats table

so I am trying 

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart count by host

but the count is counting the host, whereas I want to "count the count" ?  Any ideas?  this will be a super simple one I expect - I got a total mental block on this

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2023 01:42 PM

You can either use the prestats option as @richgalloway suggests, or the alternative way is to use count in tstats, then sum(count) in timechart, i.e.

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart sum(count) by host

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-04-2023 01:42 PM

You can either use the prestats option as @richgalloway suggests, or the alternative way is to use count in tstats, then sum(count) in timechart, i.e.

| tstats count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart sum(count) by host

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-04-2023 10:34 AM

Add the prestats option to the tstats command.  That will format the results for timechart to use.

| tstats prestats=t count where index IN (index1, index2, index3) by _time , host
| where match(host,"^.*.device.mycompany.com$")
| timechart count by host

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...