- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to display trend for 3 months?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
How can i display last 3 months data monthly wise count as trend dashboard.To check whether monthly increasing or decreaing data.
index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment_group| streamstats current=f last(assignment_group) as lg, last(active) as Active by CaseNumber | eval ss=case(assignment!=lg AND assignment="Susta","Escalated",assignment="Susta" AND status="Complete" AND (isnull(Active) OR Active="true"),"Resolved") |timechart count by ss usenull=f
How can i display monthly wise count as trend in dashboard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@udaypulipaka ,
Please accept the answer if it worked for you!.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this,
You can use span in timechart
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchReference/Timechart
Your search | timechart span=3mon count by ss usenull=f
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber | eval is_escalated= if(assignment!=lg AND assignment="Susta",1,NULL)
|eval is_resolved=if(assignment_group="Susta" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)| chart count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by Component
For this query i need linechart.when i add timechart to this query it is showing all the components in below.It looks not gud.So can u help how to do trend for this query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try this,
your search | bin span=3mon _time |stats count(ss) as count by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart span=3mon count by ss usenull=f this is working fine.Thank u for your help
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
