Calculating events per slice of time

There are a number of ways to calculate events per some period of time. All of these techniques rely on rounding _time down to some period of time, and then grouping the results by the rounded "buckets" of _time.

Using timechart

The simplest approach to count events over time is simply to use timechart, like this:

sourcetype=impl_splunk_gen
  | timechart span=1m count

In table view, we see:

Looking at a 24-hour period, we are presented with 1,440 rows, one per minute.

Note

Charts in Splunk do not attempt to show more points than the pixels present on the screen. The user is instead expected to change the number of points ...

Get Implementing Splunk: Big Data Reporting and Development for Operational Intelligence now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence by Vincent Bumgarner

Calculating events per slice of time

Using timechart

Note

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly