topic Re: How can I produce results with a span of 1 day in Splunk Search

How can I produce results with a span of 1 day

Gowtham0809 — Wed, 18 Sep 2019 07:27:36 GMT

Hi,

I am joining several source files in splunk to degenerate some total count. One thing to note is I am using ctcSalt= to reindex all my source file to day, as only very few files will be chnaged when compared to other and i need to reindex all the files as per my usecase.

Here I start using | stats count | timechart span=1d count(field) at the end of of the string and it does not provide any results, i also tries xyseries still no results.

How do i span the results for each day?

Re: How can I produce results with a span of 1 day

HiroshiSatoh — Wed, 18 Sep 2019 07:37:22 GMT

timechart requires a _time field. For example, the daily count is:

(your search)|timechart span=1d count

Re: How can I produce results with a span of 1 day

Gowtham0809 — Wed, 18 Sep 2019 07:44:22 GMT

Hello,

I am able to generate the single day count by adding (my search)| stats count, but if use (my search) |timechart span=1d count or (my search) | stats count |timechart span=1d count, I am not gettting any results and provided time range is all time.

Re: How can I produce results with a span of 1 day

HiroshiSatoh — Wed, 18 Sep 2019 08:39:05 GMT

(my search)| stats count
(my search) |timechart span=1d count
The top moves but the bottom doesn't move, you can only think of deleting ”_time”. Please provide a complete search statement.

(my search) | stats count |timechart span=1d count,
→This doesn't work

Re: How can I produce results with a span of 1 day

Gowtham0809 — Wed, 18 Sep 2019 09:11:21 GMT

Hello

below is my actual quiry

Re: How can I produce results with a span of 1 day

HiroshiSatoh — Thu, 19 Sep 2019 04:50:56 GMT

 |table TestCaseName,SysReqID,TestCaseID,Verdict,CurrentTestcaseResultURL

You can't use "timechart" here because "_time" is gone.

Also, due to "dedup", there will be only the latest one for each "CurrentTestcaseResultURL".

Re: How can I produce results with a span of 1 day

Gowtham0809 — Thu, 19 Sep 2019 05:02:12 GMT

Thanks for your reply. And Yes, we use dedup to fecth only the latest url for each day. Thats why we re-index the data every day. is there any other way to get the historical trend for this search on daily basis?

Re: How can I produce results with a span of 1 day

HiroshiSatoh — Thu, 19 Sep 2019 06:05:39 GMT

For example, how about setting the "target date" so that it is always included in DEDUP, JOIN, and STATS?

|eval target_date=strftime(_time,"%Y-%m-%d")

EX.
index="usa_*_test"・・・
・・・|join type=inner DNGProjectAreaID,target_date
・・・|dedup LinkStartID,target_date
・・・|stats count by target_date

・・・・・・・

Re: How can I produce results with a span of 1 day

Gowtham0809 — Thu, 19 Sep 2019 06:35:39 GMT

Thanks for the update, I managed to come up with a solution by scheduling the report to generate a csv and append the same everyday to reach by visualization destination. I will also try out your opinion. Thanks