Splunk Search

How to edit my search to get a tabular report for the last 30 days?

ravichandran
Explorer

I am trying to create a report table like the following:

Exception Name 1Jan 2Jan 3 Jan ....30Jan
Exception 1 100 200 300 400
Exception 2 10 20 30 50

The one i have is giving me a different result:
eventtype="xxxx" |bucket span=24h _time | stats count(eventtype) by _time

Tags (4)
1 Solution

jimodonald
Contributor

I'm guessing you're getting data formatted like:

_time count(eventtype)
1 Jan 1000
2 Jan 2000
...

try it this way:

eventtype="xxxx' | bucket span=1d _time | convert timeformat="%e %b" ctime(_time) AS c_time | chart count over eventtype by c_time

That should line it up the way you want.

The convert is necessary for the columns to be labeled as human readable dates.

View solution in original post

jimodonald
Contributor

I'm guessing you're getting data formatted like:

_time count(eventtype)
1 Jan 1000
2 Jan 2000
...

try it this way:

eventtype="xxxx' | bucket span=1d _time | convert timeformat="%e %b" ctime(_time) AS c_time | chart count over eventtype by c_time

That should line it up the way you want.

The convert is necessary for the columns to be labeled as human readable dates.

jimodonald
Contributor

Try to modify the chart command as follows:

... | chart count over eventtype by c_time limit=0 useother=false

The limit argument will specify that no filtering occurs.

0 Karma

ravichandran
Explorer

Trying improvize. When I try the following with last 30 days in the search I run into problems:
SourceName="sname" Message="**" | bucket span=1d _time | convert timeformat="%e %b" ctime(_time) AS c_time | chart count over SourceName by c_time useother=f
1. I get the results truncated. It shows only few dates. But when i reduce it to 7 days it works properly. Am I missing basic stuff.
2. Is there a way to count over combined columns? like count over(sourcename, Message)?
3. I want to Append multiple sourcename and message and have it piped into one search where I want to see the below results day-wise:
ExceptionName Day1 day2 day3
Exception1 10 100 200
Exception2 0 200 300
Total 10 300 500

Thank you in advance

0 Karma

ravichandran
Explorer

That worked! Thank you!

0 Karma

jimodonald
Contributor

oh, and you may need additional options for the chart command, such as limit=0 and useother=false.

more detail on the chart function:
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Chart

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...