Solved: How to get the count (Exceptions) for last 5 days ...

Madhan45 · ‎01-12-2016

This is my expected result:

Exceptions  Day1  Day2  Day3  Day4  Day5
Abc          5     4     3     1     0
Start        3     4     4     5     6       
xyz          3     2     5     0     0

renjith_nair · ‎01-12-2016

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time

Happy Splunking!

View solution in original post

renjith_nair · ‎01-12-2016

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time

Happy Splunking!

Madhan45 · ‎01-12-2016

It shows results only for first exception.!!

renjith_nair · ‎01-12-2016

Do you have other Exceptions in the events? Just try this to see how it works

    index=* earliest=-7d|chart count over sourcetype by _time span=1d

Happy Splunking!

Madhan45 · ‎01-12-2016

great working fine. But now the problem is dates are in epoch format. How to convert that in to normal format?

Madhan45 · ‎01-12-2016

Found Now it is working fine.
index=_internal sourcetype=* earliest=-7d | eval time=strftime(_time,"%m/%d/%y") |chart count over sourcetype by time span=1d

Madhan45 · ‎01-12-2016

Thank you renjith

renjith_nair · ‎01-12-2016

You are welcome, Please mark as answer so that the thread will be closed

Happy Splunking!

renjith_nair · ‎01-12-2016

Just convert time before chart ie

     index=* earliest=-7d|eval _time=strftime(_time,"%d-%m-%Y")|chart count over sourcetype by _time span=1d

You can use other variables instead of _time as well.

If you got the answer, just mark as answer so that the thread will be closed

Happy Splunking!

How to get the count (Exceptions) for last 5 days in a single table?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms