Re: how to report based on date

avikc100 · ‎01-02-2024

I am getting the count of each interface, but I need it date wise

as example below :

please help to modify my query

avikc100 · ‎01-04-2024

@dtburrows3

this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024....

index="*" source="*" |eval
timestamp=strftime(_time, "%m/%d/%Y")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp

dtburrows3 · ‎01-02-2024

Assuming that your events have proper timestamps extracted to the _time field you should be able to do this.

source="/apps/WebMethods/IntegrationServer/instances/default/logs/DFO.log"
    | timechart limit=30 span=1d 
        count as count 
            by DFOINTERFACE

avikc100 · ‎01-02-2024

Hi @dtburrows3

its giving different result. I just want in reverse direction
its giving me like this :

but I want like this

dtburrows3 · ‎01-02-2024

You can try this to get the report in that format.

Edit: Noticed that the chart method could mess up the order of dates from left to right so I think sorting first and then doing a transpose should fix it.

source="/apps/WebMethods/IntegrationServer/instances/default/logs/DFO.log"
    | timechart span=1d limit=30
        count as count
            by DFOINTERFACE
    | sort 0 +_time
    | eval
        timestamp=strftime(_time, "%m/%d/%Y")
    | fields + timestamp, *
    | fields - _*
    | transpose 30 header_field=timestamp
    | rename
        column as "DFOINTERFACE \ Date"

Example from my local instance.

avikc100 · ‎01-02-2024

thank you very much

how to report based on date

stats

timechart

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?