Splunk Search

How to add up the hourly number of transactions per day, and create a chart to show the total per day over X days?

andynieto
Engager

Hello community,

So I'm looking for some help here on how to build a search that will add up the total number of transactions per day and chart the results on a linear or bar table.

Here is a sample of the data I have per hour:

DateTime          Archive_count   Pending_all_srvs   sql_count      Indexed_count
9/20/2016 6:00  83,223        22,843             2,968,438,179  75,000
9/20/2016 5:00  86,995        20,484             2,968,354,956  103,125
9/20/2016 4:00  90,911        17,774             2,968,267,961  103,420
9/20/2016 3:00  91,798        20,800             2,968,177,050  81,250
9/20/2016 2:00  94,289        18,190             2,968,085,252  137,500
9/20/2016 1:00  111,240      25,838          2,967,990,963  150,020
9/20/2016 0:00  131,996      32,389          2,967,879,723  174,980
9/19/2016 23:00   154,493        40,413          2,967,747,727  175,000
9/19/2016 22:00   193,840        40,529          2,967,593,234  300,194
9/19/2016 21:00   198,897        95,864          2,967,399,394  175,329
9/19/2016 20:00   227,964        140,023            2,967,200,497   275,666
9/19/2016 19:00   258,549        159,660            2,966,972,533   275,626
9/19/2016 18:00   258,350        154,958            2,966,713,984   275,326
9/19/2016 17:00   280,576        122,066            2,966,455,634   250,492
9/19/2016 16:00   288,137        107,260            2,966,175,058   224,489
9/19/2016 15:00   260,641        96,703          2,965,886,921  225,277
9/19/2016 14:00   214,148        66,325          2,965,626,280  225,000
9/19/2016 13:00   234,994        59,123          2,965,412,132  200,277
9/19/2016 12:00   232,784        66,435          2,965,177,138  250,000
9/19/2016 11:00   235,473        57,980          2,964,944,354  125,224
9/19/2016 10:00   178,755        61,779          2,964,708,881  125,000
9/19/2016 9:00  116,158      32,690          2,964,530,126  75,000

Thank you,

sundareshr
Legend

Try this

base search | eval day=strftime(strptime(DateTime, "%-m/%-d/%Y %-H:%M"). "%m/%d") | stats sum(*) AS * by day
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...