| timechart span=1d count(orders) by status The following are the spec and example files for nf. | timechart span=30m count(orders) by then use the following searches in panels: timechart or stats, etc.) so in this way you can limit the number of results, but base searches runs also in the way you used.Īnyway, it's possible to optimize your base search and the others in ths way: There's a strange thing in your base search: how can you have a span of 1 day with an earliest time of 60 minutes?Īnyway, the best way to use a base search is using a transforming command (as e.g. | timechart span=1d sum(ordercount) as dailytotal by first, | stats count(orders) as ordercount by _time status search countr圜ode="SWE" | timechart span=1d sum(ordercount) as dailytotal by you include countr圜ode in the stats as well, you might be able to use the same base search for that panel too. | timechart span=1d sum(ordercount) as dailytotal by status | stats count(orders) as ordercount by _time Using stats in the base search keeps the events by time and status giving the subsequent searches useful events to work with. Since this base search counts by status in 30m buckets, the subsequent searches should sum the counts into daily totals where appropriate. Or am I missing something simple? I know base searches needs to be transformative to not hit the cap but how would I do that without making it unable to use the search command for the different things I need later? Like for specific countries etc.? Search countr圜ode="SWE" | timechart span=1d count(orders) by status Search status=!"Cancelled" | timechart span=1d count(orders) by status Search | timechart span=30m count(orders) by status Search | timechart span=1d count(orders) by status Index=Test | fields orders status i need it to be used with these different searches:
SPLUNK BASE SUBSEARCH INPUT HOW TO
I need some help with figuring out how to make this base search the best way without hitting the 500.000 limit aswell.
0 kommentar(er)
