Solved: Re: Over a week's timespan, how do I display how m...

orchapellico · ‎11-21-2018

I am getting a bunch of nulls in my results and I'm not sure why. I am trying to build a graph that will show over a business week how many times a server is restarted. Then display is by day and host, on which days with a proper count.

host="" "Server startup" | chart count by host, date_wday

Is there a better way? I was trying to do it with the timechart command, but i'm running into problems there.

Vijeta · ‎11-21-2018

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day

View solution in original post

Vijeta · ‎11-21-2018

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day

orchapellico · ‎11-21-2018

Thank you, this is exactly what I was looking for.

akocak · ‎11-21-2018

host="" "Server startup" | chart count by host, date_wday usenull=false

However, If I were you, I would try to find another variable like "restart time" and use dc. also this may do it

...| timechart count by host span=1d usenull=false

Also this would do it:

host="" "Server startup" | bin _time span=1d| stats count by _time, host

Vijeta · ‎11-21-2018

Do your events have date_wday field. Looks like the events dont have this field that's why resulting into NULL.

orchapellico · ‎11-21-2018

They are not all showing up at null, that is what is throwing me off. If there is another way to do this, I would like to know. Thank you for your thoughts.

Over a week's timespan, how do I display how many restarts are happening per day on a host?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases