topic How to get event count hourly the last 7 days graph each day need to display different line ? in Splunk Search

How to get event count hourly the last 7 days graph each day need to display different line ?

kumar22 — Mon, 29 Jan 2018 15:29:20 GMT

one particular system event count hourly the last 7 days graph each day need to display different line

X - axis -- 0 - 24 hours

Y Axis - event count

Also is it possiable to trigger alert if any deviation

philipmattocks — Mon, 29 Jan 2018 15:40:35 GMT

Hi,

Something like:

index=your_index earliest=-7d@d latest=@d 
| timechart span=1h count 
| timewrap 1d

Let me know if that helps.

Philip

somesoni2 — Mon, 29 Jan 2018 15:43:10 GMT

Try like this

your base search
| eval Day=strftime(_time,"%Y-%m-%d") | eval Hour=strftime(_time,"%H:00")
| chart count over Hour by Day

kumar22 — Tue, 29 Sep 2020 17:55:30 GMT

Thank you, Philip,

It's working fine. I have some more doubt in the graph.

In the graph sheet, we are getting 7 separate graphs with individual y-Axis. Is it possible to have consolidated graph for a week?
Is it possible to customize field name - "NULL_6days_ago" as "6days_ago" ?

philipmattocks — Tue, 30 Jan 2018 14:11:31 GMT

Do you have the multi-series mode enabled in your visualisation? If so, when you disable it, the graphs should be combined onto a single y-axis. The same goes for if you have trellis mode enabled.
I'm not sure if you can change what these fields are called...what is the query you're using?

Thanks

niketn — Tue, 30 Jan 2018 14:15:24 GMT

What do you mean by consolidated graph for a week? In you question you had asked for last 7 days graph with different lines.

For second query, you can try the following.

| rename "NULL_*" as *

For finding deviations you would need to add more historic data and possibly use Machine Learning Toolkit for finding suitable algorithm for outlier.