Solved: Re: Reporting / Dashboard issues

magneto417x · ‎03-10-2017

So I am using the following search to grab data:

source="mhn-splunk.log" |eval Time=strftime(_time,"%b %Y") | stats count as daycount by date_mday | streamstats avg(daycount) |

Issue I noticed today when looking at month to date it orders result in below order which also messes up bar chart any suggestions to fix would be much appreciated.

1
10
2
3
4
5
6
7
8
9

rjthibod · ‎03-10-2017

Quick note, I am not entirely sure what you are doing with the eval Time ... step because that doesn't have any effect.

Regadless, you can fix your sorting problem by adding a leading zero to date_mday. Add this to your search for ascending calendar dates..

| eval date_mday = if(date_mday < 10, "0".tostring(date_mday), tostring(date_mday)) | sort +date_mday

View solution in original post

puneethgowda · ‎03-10-2017

eval Time=strftime(_time,"%b %Y")

You are not using eval for any results.

My suggestion is to make use of strftime

Like below

eval datemday=strftime(_time,????)

Give the required format

And count by datemday

You can also use raw date column instead of _tim because daylight matters

magneto417x · ‎03-10-2017

I'm not sure I understand that would make my search be then I tried it a few times and it fails. Would you be able to post what the complete statement would look like?

puneethgowda · ‎03-10-2017

Sleeping time in India now let me try tomorrow

rjthibod · ‎03-10-2017

Quick note, I am not entirely sure what you are doing with the eval Time ... step because that doesn't have any effect.

Regadless, you can fix your sorting problem by adding a leading zero to date_mday. Add this to your search for ascending calendar dates..

| eval date_mday = if(date_mday < 10, "0".tostring(date_mday), tostring(date_mday)) | sort +date_mday

rjthibod · ‎03-10-2017

@magneto417X Did you try my suggestion of prepending the 0 to some dates?

magneto417x · ‎03-10-2017

That worked. Thanks 🙂

magneto417x · ‎03-10-2017

Not yet had to go to a meeting but plan to give it a spin when I'm back. I will try and update thread 🙂

somesoni2 · ‎03-10-2017

Try like this

source="mhn-splunk.log" |eval Time=strftime(_time,"%b %Y") | stats count as daycount by date_mday | sort 0 num(date_mday) | streamstats avg(daycount)

magneto417x · ‎03-10-2017

The returns same results and still not in order 😞

somesoni2 · ‎03-10-2017

That works for me for similar query. Did you use the exact query I gave or there was any modification. Give @rjthibod's answer a try then.

magneto417x · ‎03-10-2017

Copied the query and ran it and it failed 😞

Reporting / Dashboard issues

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...