Hi Splunk Experts
As I m trying to show the trend for 7 days, I have involved the below eval expression to seperate the _time things (date_hour,date_minute,date_wday,date_mday,date_month,date_year).
Time Expression:
| eval Date=strftime(_time,"%Y-%m-%d") | rex field="Date" "^(?[^-]+)-(?[^-]+)-(?.+)"
| eval date_hour=strftime(_time,"%H")
| eval date_minute=strftime(_time,"%M") | eval date_wday=strftime(_time,"%w")
and I m using the below trend query to show 7 days trend.
stats dc(user_id) AS USERS by date_hour, date_wday, Platform | chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform
However I could see the date_hour from 0 to 9 is repeated twice in graph like showing as 0,00,1,01,2,02.....9,09 but both 0,00 is showing the same value.
Could You please suggest me how to eliminate this repeated values for the date_hour on the graph.
And for your reference I am using Summary Index concept and from that I am picking up the fields to draw the trend.
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-8d@"), relative_time(_time,"@h"))
| makecontinuous span=1min _time
| appendcols
[| makeresults count=10000
| eval user_id ="User".(random() % 100 + 1)
| eval Platform=mvindex(split("Windows,Linux,Macosx",","),(random() % 3))
| table user_id Platform]
| where isnotnull(_time)
| table _time user_id Platform
| rename COMMENT as "this is sample. from here, your logic"
| eval Date=strftime(_time,"%Y-%m-%d")
| rex field=Date "^(?<date_year>[^-]+)-(?<date_month>[^-]+)-(?<date_mday>.+)"
| eval date_hour=strftime(_time,"%H")
| eval date_minute=strftime(_time,"%M")
| eval date_wday=strftime(_time,"%w")
| stats dc(user_id) AS USERS by date_hour, date_wday, Platform
| chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform
Hi, @gopiven
date_hour is String value. so, "00" is normal.
Which field is "0"?
SPLUNK automatically extract date_hour, date_wday , date_minutes etc fields by default if your data is ingested correctly with event time. There is no need to extract these fields again.
Refer documentation for more details.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Usedefaultfields