I have 2 indices in kibana 4:
1st index is basing time from events (Date Created)
2nd Index is basing time from events (Date Closed)
Both are date values and I want to create a query which will return the total amount of docs Date Created (Today) - total amount of docs Date Closed (Today)
If this is not possible is it possible if i have both fields in one index?
Yes you need to have both the date values within the same index so that you can do the subtraction using a scripted field in Kibana. You could simply have your script as such:
doc.['date_created'].value - doc.['date_closed'].value
----------------^----------------------------------------^ Make sure to give your exact field names
And then you could use this scripted field as a Date Historgram to show the total count of the docs within the retrieved date range.
Hope this helps!
Related
I have a date column using which I created a "relative date" filter as follows:
Now I want to create a measure as follows:
SUM(value from another column)/total number of day in that date range.
Can someone help me how to create this measure?? Thanks!!
Assuming you Record Date field is at the day level of detail, you could do:
SUM(value from another column)/countd(record_date)
I want to visualize the unique count for a field aggregated daily and weekly per day in the same sheet. But timelion aggregation affects the entire sheet instead of just a single chart.
The expression I am using to get the daily unique count is
.es(metric='cardinality:userId').bars().title('Unique users over time')
If I change the bucket range on the right to 1d, I get the correct chart. How do I create the weekly aggregation?
There is a possibility to specify the interval used for timelion expressions by specifying interval as 1d or respectively 1w in the es() function. For details, please see the docs here.
In your case this should work with the following expression:
.es(metric='cardinality:userId',interval=1w).bars().title('Unique users per week')
Be aware of the comment inside the docs, stating that this should not be used in favor of working with the interval picker. But probably this is a use case where it is okay to do it like this...
I am indexing user data for each day and using Kibana to analyse it, so far I am able to visualize all my requirement. But I am not able to visualize following use case
I want to analyse total number of user,repeated number of users from previous day and how many are unique.
I can visualize total number of user for day , but how do I compare today's data from yesterday.
Any help appreciated.
Thanks in advance
I hope I understand your requirement correctly, but you could create a Vertical Bar Chart visualization with Kibana and change the default 'Count' to 'Unique Count', select the field you like to do the unique count for and then add an X-Axis with a date histogram on your timestamp field.
This will create a bar chart and each bar will contain the unique count for each time interval. So if you select 7 days as your timeframe and 1 day interval in your X-Axis date histogram, you'll see the unique count per day.
Let's say on Splunk, I have a table with the fields 'month', 'year', and 'count'. I want the month corresponding to the max count for each year. So, the resulting table should only have one month per year.
I've tried using the stats and chart max functions, but I can't figure out how to use them to get what I want, or if it's even possible.
Is there any way to accomplish this using Splunk?
I ended up using the streamstats command.
Given a table with fields month,year, and count,
<some search>
| streamstats max(count) as mc by year
| sort +year, -count
| streamstats first(mc) as mc
| where count = mc
Essentially, I'm using streamstats to max across each month in each year, storing a running max for each entry as a new column. Then, I sort it so that the largest max count is at the top of each year group, so that I can then select the first one as the max entry.
I also had the same requirement.
I had log data with the fields 'loadtime', 'application', and 'username' fields.
First I wanted to compute the maximum value of loadtime for all application. Then,create a table/chart which should contain a single row for each application having application name and maximum load time. Table should also have user field's value for the maximum loadtime calculated for each application.
Below is the splunk query which I used for achieving above:
search_string|streamstats max(loadtime) as max_time by application|sort +application -loadTime|streamstats first(max_time) as max_time by application|where loadtime=max_time|table application,max_time,username
I could use this query to select all orders with a date on a monday:
SELECT * from orders WHERE strftime("%w", date)="1";
But as far as I know, this can't be speed up using an index, as for every row strftime has to be calculated.
I could add an additional field with the weekday stored, but I want to avoid it. Is there a solution that makes use of an index or am I wrong and this query actually works fine? (That means it doesn't have to go through every row to calculate the result.)
If you want all Mondays ever, you'd need a field or sequential scan. What you could do, is calculate actual dates for example for all Mondays within a year. The condition WHERE date IN ('2009-03-02', '2009-02-23', ...) would use index
Or as an alternative to vartec's suggestion, construct a calendar table consisting only of a date and a day name for each day in the year (both indexed) and then perform your query by doing a JOIN against this table.