All Apps and Add-ons

date_hour values are repeated twice on the trend graph

gopiven
Explorer

Hi Splunk Experts
As I m trying to show the trend for 7 days, I have involved the below eval expression to seperate the _time things (date_hour,date_minute,date_wday,date_mday,date_month,date_year).
Time Expression:
| eval Date=strftime(_time,"%Y-%m-%d") | rex field="Date" "^(?[^-]+)-(?[^-]+)-(?.+)"
| eval date_hour=strftime(_time,"%H")
| eval date_minute=strftime(_time,"%M") | eval date_wday=strftime(_time,"%w")

and I m using the below trend query to show 7 days trend.
stats dc(user_id) AS USERS by date_hour, date_wday, Platform | chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform

However I could see the date_hour from 0 to 9 is repeated twice in graph like showing as 0,00,1,01,2,02.....9,09 but both 0,00 is showing the same value.

Could You please suggest me how to eliminate this repeated values for the date_hour on the graph.
And for your reference I am using Summary Index concept and from that I am picking up the fields to draw the trend.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-8d@"), relative_time(_time,"@h")) 
| makecontinuous span=1min _time 
| appendcols 
    [| makeresults count=10000
    | eval user_id ="User".(random() % 100 + 1) 
    | eval Platform=mvindex(split("Windows,Linux,Macosx",","),(random() % 3)) 
    | table user_id Platform]
    | where isnotnull(_time) 
| table _time user_id Platform 
| rename COMMENT as "this is sample. from here, your logic"
| eval Date=strftime(_time,"%Y-%m-%d") 
| rex field=Date "^(?<date_year>[^-]+)-(?<date_month>[^-]+)-(?<date_mday>.+)"
| eval date_hour=strftime(_time,"%H") 
| eval date_minute=strftime(_time,"%M") 
| eval date_wday=strftime(_time,"%w") 
| stats dc(user_id) AS USERS by date_hour, date_wday, Platform
| chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform

Hi, @gopiven
date_hour is String value. so, "00" is normal.
Which field is "0"?

0 Karma

badrinath_itrs
Communicator

SPLUNK automatically extract date_hour, date_wday , date_minutes etc fields by default if your data is ingested correctly with event time. There is no need to extract these fields again.

Refer documentation for more details.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Usedefaultfields

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...