Databases Reference
In-Depth Information
We are presented with this graph:
There is no indication of what period of time is represented by each bar unless
you roll over the chart. In this case, each bar represents 30 minutes. This makes
the significance of the y axis difficult to judge. In both cases, we can add
span=1m
to
timechart
, and we would know that each bar represents one minute. This would
be fine for a chart representing one hour, but a query for 24 hours would produce too
many points, and we would see a truncated chart.
Another approach would be to calculate the average events per minute, and then
calculate that value over whatever time frame we are looking at.
timechart
provides
a convenient function to accomplish this, but we have to do a little extra work.
earliest=-24h sourcetype=impl_splunk_gen
| eval eventcount=1
| timechart span=1h per_minute(eventcount)
per_minute
calculates the sum of
eventcount
per minute, then finds the average
value for the slice of time each bar represents. In this case, we are seeing the average
number of events per hour.
Search WWH ::
Custom Search