https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515704#M34496 <P>Hi there,</P><P>I know it sound pretty easy, but I am stuck with a dashboard which splits the events by hours of the day, to see for example the amount of events on every hours (from 00h to 23h)</P><P>My request is like that:</P><P>index=_internal | convert timeformat="%H" ctime(_time) AS Hour | stats count by Hour | sort Hour | rename count as "SENT"</P><P>Only problem with the request is that I am missing zero entries in the histogram, and I wanted to have always the 24 hours displayed (even with zero results).</P><P>Any way to do this ?</P><P>Hope it will help others</P> Mon, 24 Aug 2020 07:26:49 GMT sweiland 2020-08-24T07:26:49Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515704#M34496 <P>Hi there,</P><P>I know it sound pretty easy, but I am stuck with a dashboard which splits the events by hours of the day, to see for example the amount of events on every hours (from 00h to 23h)</P><P>My request is like that:</P><P>index=_internal | convert timeformat="%H" ctime(_time) AS Hour | stats count by Hour | sort Hour | rename count as "SENT"</P><P>Only problem with the request is that I am missing zero entries in the histogram, and I wanted to have always the 24 hours displayed (even with zero results).</P><P>Any way to do this ?</P><P>Hope it will help others</P> Mon, 24 Aug 2020 07:26:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515704#M34496 sweiland 2020-08-24T07:26:49Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515707#M34498 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222813">@sweiland</a>,</P><P>did you explored the timechart command (<A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Timechart" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Timechart</A>)?</P><P>You could try something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal | timechart span=1h count AS "SENT"</LI-CODE><P>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Mon, 24 Aug 2020 07:40:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515707#M34498 gcusello 2020-08-24T07:40:27Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515709#M34499 <P>Idea is to have the timespan 1h but only for one day</P><P>Example:</P><P>Data from 1 complete month, but splitted for every hour (the timechart is not a "group by hours")</P> Mon, 24 Aug 2020 07:58:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515709#M34499 sweiland 2020-08-24T07:58:25Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515710#M34500 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222813">@sweiland</a>&nbsp;,<BR /><BR />The timechart as recommended by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.<BR /><BR />In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:<BR /><BR /></P><LI-CODE lang="markup">index=_internal | timechart span=1h count | eval Hour = strftime(_time,"%H") | chart sum(count) as count by Hour</LI-CODE><P>&nbsp;<BR />Hope it helps,<BR />BR<BR />Ralph<BR />--<BR /><EM>Karma and/or Solution tagging appreciated.</EM><BR /><BR /></P> Mon, 24 Aug 2020 08:07:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515710#M34500 rnowitzki 2020-08-24T08:07:56Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515711#M34501 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222813">@sweiland</a>,</P><P>if you want the span of 1 hour for the full month, timechart span=1h is correct</P><P>if instead you want two&nbsp; different spans,it isn't possible in one panel.</P><P>you could have two panels: one for the last day (with span=1h) and one for the full month (span=1d),</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 24 Aug 2020 08:09:12 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515711#M34501 gcusello 2020-08-24T08:09:12Z https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515721#M34502 <P>Works indeed perfectly, thanks to both of you</P> Mon, 24 Aug 2020 08:37:34 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Data-visualization-over-the-day-by-hours/m-p/515721#M34502 sweiland 2020-08-24T08:37:34Z