Hi All,
I am fetching data from the data base and have the below fields (no raw time provided):
1. Date field (eg. 2020-04-28 00:00:00.0 ["%Y-%m-%d %H:%M:%S.%Q" format]
2. Status field (eg. A,B,C,D,E)
How can I have the below nested hour columns be inside the daily field?: (I have attached the image of what I want to achieve but in Splunk)
1. 10am - 12pm
2. 12pm - 3pm
3. 3pm - 6pm
4. 6pm - 10am
Currently, I am only able to achieve daily view of status, but now I want the status for above hours within a daily view in a column bar chart.
My current query to achieve the daily view of status in column bar chart.
| dbxquery query=" " connection=" "
| eval create_date = strptime(CREATED_DT, "%Y-%m-%d %H:%M:%S.%Q")
| where create_date >= relative_time(strptime(strftime(now(),"%d-%b-%y"),"%d-%b-%y") , "-3d") AND create_date <= strptime(strftime(now(),"%d-%b-%y %H:%M:%S.%Q"), "%d-%b-%y %H:%M:%S.%Q")
| eval create_date_new = strftime(create_date,"%d-%b-%y")
| chart count over create_date_new by STATUS
Appreciate if anyone can help me with this issue. (Attached screenshot of what I want)
Thanks!
Zovin
][1]
... View more