Databases Reference
In-Depth Information
In table view, we see:
Looking at a 24-hour period, we are presented with 1,440 rows, one per minute.
Charts in Splunk do not attempt to show more points than the
pixels present on the screen. The user is instead expected to change
the number of points to graph, using the
bins
or
span
attributes.
Calculating average events per minute, per hour
shows another way of
dealing with this behavior.
If we only wanted to know about minutes that actually had events, instead of every
minute of the day, we could use
bucket
and
stats
, like this:
sourcetype=impl_splunk_gen
| bucket span=1m _time
| stats count by _time
bucket
rounds the
_time
field of each event
down
to the minute in which it occurred,
which is exactly what
timechart
does internally. This data will look the same, but
any minutes with out events will not be included. Another way to accomplish the
same thing would be as follows:
sourcetype=impl_splunk_gen
| timechart span=1m count
| where count>0
Search WWH ::
Custom Search