Databases Reference
In-Depth Information
For this query to work, we need
_time
,
count
and
network
. Since
_time
is the
actual time of the event, we need to group the times to reduce the number of rows
produced by
stats
. We can use
bucket
for this task. Our initial query will now
look like this:
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
| bucket span=1h _time
| stats count by network _time
This query will produce results such as those shown in the following screenshot:
To actually use these results in our panel, we need to modify the contents of
<searchPostProcess>
slightly. Since
count
expects to see raw events, the count
will not be what we expect. We need instead to apply the
sum
function to the
count
field. We will also set the
span
value to match the span we used in the initial query:
timechart span=1h sum(count) as "Error count" by network
Panel 2
In the next panel, we currently have:
bucket bins=10 req_time | stats count by req_time
Since the
bucket
command needs to run against the raw events, we will add the
command to the original query and also add
req_time
to
stats
:
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
| bucket span=1h _time
| bucket bins=10 req_time
| stats count by network _time req_time
Search WWH ::
Custom Search