Databases Reference
In-Depth Information
Using
bucket
and
stats
, like this:
sourcetype=impl_splunk_gen
| bucket span=1h _time
| stats count by _time
We then get this table:
In this case, there are no results for the 9:00 AM to 10:00 AM time slot.
Calculating average events per minute, per
hour
One limitation of graphing in Splunk is that only a certain number of events can be
drawn, as there are only so many pixels available to draw. When counting or adding
values over varying periods of time, it can be difficult to know what timescale is
being represented. For example, given the following query:
earliest=-1h sourcetype=impl_splunk_gen
| timechart count
Splunk will produce this graph:
Each of these bars represent one minute. If we change the time frame to 24 hours:
earliest=-24h sourcetype=impl_splunk_gen
| timechart count
Search WWH ::
Custom Search