Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

searches based on time range in a one graph

Khushboo
Explorer
‎01-07-2021 10:50 AM

Hi Team,

I have query like following :

index=something  earliest=-7d latest=now()
| stats count by page

where i need to calculate how many hits page is getting in last 1 hour, 4 hours, 24 hours and last weeks

how do i join these search to draw one line graph from it.

Labels (2)
Labels
0 Karma
Reply

Khushboo
Explorer
‎01-07-2021 08:07 PM

Sorry for the confusion.
Yes, I'm  looking for 1 hour values, then 4 and 24 hour running totals over the last week. 
i want count by page. Whenever i'm adding stats count by page with timecharts it returns no data.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 08:35 PM

Not sure what you mean by 'stats count by page with timecharts..'

Assuming you have a field 'page' then this timechart followed by the streamstats will give you all the relevant totals, but depending on how many pages you have, there will be a lot of data to visualise - with 4 values, each with significantly different scales that can only be represented on 2 y-axes.

your search
| timechart limit=0 span=1h count by page
| streamstats time_window=4h sum(*) as T_H04_*
| streamstats time_window=24h sum(*) as T_H24_*
| streamstats time_window=1w sum(*) as T_Wk_*
| fields _time T_*
| rename T_* as *

does that work?

 

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 01:45 PM

It's not clear what your line graph is intended to show, just 4 values with 1,4,24 hours and 1 week totals?

Or are you looking for 1 hour values, then 4 and 24 hour running totals over the last week, e.g. like this

index=_internal 
| timechart span=1h count
| streamstats time_window=4h sum(count) as Hour4
| streamstats time_window=24h sum(count) as Hour24

but showing that as a line graph with 4 lines on isn't great on the same Y axis

You could do this to get the 4 values 

index=_internal earliest=-7d@d latest=@h
| timechart span=1h count
| streamstats time_window=4h sum(count) as Hour4
| streamstats time_window=24h sum(count) as Hour24
| streamstats time_window=1w sum(count) as Week
| reverse
| head 1
| eval Periods="Results"
| table Periods count Hour4 Hour24 Week

and show that as a column chart, or remove the 'Periods' value and show the results as single values in trellis mode.

 

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...