https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56665#M13882 <P>Hi:</P> <P>I'm new to Splunk and I've been trying to run the following query for a couple of weeks but I only get data for the current date:</P> <PRE><CODE>sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","Site1", if(GW="xx2","Site2", GW))|eventstats sum(cs_bytes) as dl by Gateway|timechart count(eval(dl/1048576)) as "Download (MBytes)" by Gateway span=24h</CODE></PRE> <P>OR </P> <PRE><CODE>sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","DCW", if(GW="xx2","DCE", GW))|eventstats sum(cs_bytes) as dl by Gateway|bucket _time span=24h|convert timeformat="%m/%d/%Y" ctime(_time) AS c_time|chart count(eval(dl/1048576)) as "Download (MBytes)" over c_time by Gateway</CODE></PRE> <P>In short, I'm trying to get the downloads (sc_bytes) in Megabytes (the information is provided in bytes) by Gateway per day.</P> <P>Can anybody point me to what I am doing wrong?</P> <P>Thanks!</P> Thu, 06 Dec 2012 20:02:43 GMT Kelvin_Perez 2012-12-06T20:02:43Z https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56665#M13882 <P>Hi:</P> <P>I'm new to Splunk and I've been trying to run the following query for a couple of weeks but I only get data for the current date:</P> <PRE><CODE>sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","Site1", if(GW="xx2","Site2", GW))|eventstats sum(cs_bytes) as dl by Gateway|timechart count(eval(dl/1048576)) as "Download (MBytes)" by Gateway span=24h</CODE></PRE> <P>OR </P> <PRE><CODE>sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","DCW", if(GW="xx2","DCE", GW))|eventstats sum(cs_bytes) as dl by Gateway|bucket _time span=24h|convert timeformat="%m/%d/%Y" ctime(_time) AS c_time|chart count(eval(dl/1048576)) as "Download (MBytes)" over c_time by Gateway</CODE></PRE> <P>In short, I'm trying to get the downloads (sc_bytes) in Megabytes (the information is provided in bytes) by Gateway per day.</P> <P>Can anybody point me to what I am doing wrong?</P> <P>Thanks!</P> Thu, 06 Dec 2012 20:02:43 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56665#M13882 Kelvin_Perez 2012-12-06T20:02:43Z https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56666#M13883 <P>Firstly, I managed to produce some results with your search, though I had to modify it to work with <CODE>access_combined</CODE>, (<CODE>bytes</CODE> instead of <CODE>cs_bytes</CODE>, <CODE>clientip</CODE> instead of <CODE>Gateway</CODE> etc)</P> <P>I think you are using <CODE>count</CODE> in the wrong way, at least if you want to find the amount of data being transferred. Try the <CODE>eval</CODE> for the bytes -&gt; megabytes first, and make a <CODE>sum</CODE> in the <CODE>timechart</CODE>.</P> <PRE><CODE>sourcetype="bcoat_proxysg" action!="TCP_HIT" | eval P1=split(proxy_server,"G")|eval GW=mvindex(P1,0)|eval Gateway=if(GW = "xx1","Site1", if(GW="xx2","Site2", GW))| eval MB=cs_bytes/1024/1024| timechart sum(MB) as "Download (MBytes)" by Gateway span=24h </CODE></PRE> <P>Hope this helps,</P> <P>Kristian</P> Thu, 06 Dec 2012 21:47:25 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56666#M13883 kristian_kolb 2012-12-06T21:47:25Z https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56667#M13884 <P>Hi Kristian:Thanks a lot for the example! Seems to be working better. However, I'm still getting data only for the current date or the last date in the selected custom range. All other dates return no data.:(</P> Fri, 07 Dec 2012 15:54:01 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-problem/m-p/56667#M13884 Kelvin_Perez 2012-12-07T15:54:01Z