- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Line Chart with a day wise usage count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to know how frequently a keyword is found(from the list of events) and see it in a time chart.
This is the search I am using, I am not sure if I am using it correct .
And there is a null line found in the line chart.
host= "HostA" or "HostB" "videostreamed"
| eval view=if(like(_raw,"%videostreamed%"),"Prime_Streamed"
| timechart span=1d count by view
I want to know the amount of events generated with the key word "videostreamed" based on the base-search I have, on a daily basis in a line chart.
Example : if the linechart has a spike on Monday, It should mean more events found with the videostreamed
The more the number of events, the higher is the usage that day.
I hope I am clear with my explanation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that this alone is good.
host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count
Do you also need a number that does not match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this:
host= "HostA" or "HostB"
| timechart span=1d count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view
Or, probably you'd like this better:
host= "HostA" or "HostB"
| bucket _time span=1d
| stats count count(eval(searchmatch("videostreamed"))) AS Prime_Streamed BY view_time
| eval pct = 100 * Prime_Streamed / count
| timechart span=1d avg(pct) AS pct BY view
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to consider assigning a number to it.
index=* | eval Text_Found = if(like(_raw,"%GET%"),"1","0") | where Text_Found=1 | timechart span=1m count by Text_Found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that this alone is good.
host= "HostA" or "HostB" "videostreamed"
| timechart span=1d count
Do you also need a number that does not match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, That would help too.
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
IM Landing Page Filter - Now Available
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
