Databases Reference
In-Depth Information
Our results will then look like this:
The panel query then becomes:
stats sum(count) by req_time
Panel 3
The last panel that we can add is the simplest yet.
stats count by logger
We simply need to add
logger
to the end of our initial query.
sourcetype="impl_splunk_gen" loglevel=error user="$user$"
| bucket span=1h _time
| bucket bins=10 req_time
| stats count by network _time req_time logger
We will also need to replace
count
with
sum(count)
, thus:
stats sum(count) by logger
Final XML
What we have built is a query that produces a row for every combination of fields.
You can avoid this work by using
table
, but doing this extra work to reduce the
rows produced by the initial query can increase performance considerably.
Search WWH ::
Custom Search