Solved: Sort result by date and show it on Dashboard

toshiro92 · ‎02-12-2015

Hi all,

I'm newbie with Splunk, and i try to show each value by date with columns, but i have always the "count" value.

First, i wanted to show all File Name existing on my search, with :

host="sample" Executed="Yes" Username="user" "File Name"="*"  | top limit=20 "File Name" |

The results was 5 lines and three columns "File Name", "Count" and "Percent", that are default columns. Each File was executed 3 times at different periods of time, so i wanted to show all with the column graph, but after tries, it didn't. I tried to follow This example to understand time on Splunk and adapted it like this :

host="sample" Executed="Yes" Username="user" "File Name"="*"  | top limit=20 "File Name" |  eval weekDay = strftime(_time,"%a") | eval HourOfDay = strftime(_time,"%H") | table _time, weekDay, HourOfDay

The result was best, but i don't know how to show the "File Name" column on the table. I missed something, can you help me ?

Thank you.

richgalloway · ‎02-12-2015

Have you tried this ?

... | table _time weekDay HourOfDay "File Name"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-12-2015

Have you tried this ?

... | table _time weekDay HourOfDay "File Name"

---
If this reply helps you, Karma would be appreciated.

sideview · ‎02-12-2015

or ... | timechart count by "File Name" for that matter.

toshiro92 · ‎02-23-2015

Oh ok, that was so simple, i tried a more complex solution.

Sort result by date and show it on Dashboard

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!