https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303941#M91405 <P>Hello</P> <P>I have a below query.<BR /> sourcetype=ProcessStart OR sourcetype=ProcessEnd | transaction RunID | table RunID, Robot, host, duration </P> <P>I need to count the sum(duration) by host and I want the result to be displayed day wise. </P> <P>The result should be something like, Day1, host1, duration<BR /> Day1, host2, duration<BR /> Day2, host1, duration<BR /> Day2, host2, duration</P> <P>How can I do that? Timechard sum(duration) span=1d works, but I need the duration to be calculated according to the host. How do I do that?</P> <P>Thanks<BR /> Maria Arokiaraj</P> Fri, 12 Jan 2018 11:39:08 GMT maria2691 2018-01-12T11:39:08Z https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303941#M91405 <P>Hello</P> <P>I have a below query.<BR /> sourcetype=ProcessStart OR sourcetype=ProcessEnd | transaction RunID | table RunID, Robot, host, duration </P> <P>I need to count the sum(duration) by host and I want the result to be displayed day wise. </P> <P>The result should be something like, Day1, host1, duration<BR /> Day1, host2, duration<BR /> Day2, host1, duration<BR /> Day2, host2, duration</P> <P>How can I do that? Timechard sum(duration) span=1d works, but I need the duration to be calculated according to the host. How do I do that?</P> <P>Thanks<BR /> Maria Arokiaraj</P> Fri, 12 Jan 2018 11:39:08 GMT https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303941#M91405 maria2691 2018-01-12T11:39:08Z https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303942#M91406 <P>hey try this</P> <PRE><CODE>sourcetype=ProcessStart OR sourcetype=ProcessEnd | transaction RunID | table _time RunID, Robot, host, duration | bin _time span=1d | stats sum(duration) by _time host | sort- _time </CODE></PRE> <P>let me know if this helps!</P> Fri, 12 Jan 2018 11:48:02 GMT https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303942#M91406 mayurr98 2018-01-12T11:48:02Z https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303943#M91407 <P>Hello @mayurr98</P> <P>I tried this one already with bucket command and now with bin also as you have suggested.<BR /> For some reason, I am not getting any results out of these queries <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> Fri, 12 Jan 2018 12:25:22 GMT https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303943#M91407 maria2691 2018-01-12T12:25:22Z https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303944#M91408 <P>hey can you try this as <CODE>| table _time RunID, Robot, host, duration</CODE> seems irrelavent. Also try below query for last 7 days or more. I tried in a test environment the query is working as long as you have enough data.Specify <CODE>your_index</CODE> at start of the search</P> <PRE><CODE> index=your_index sourcetype=ProcessStart OR sourcetype=ProcessEnd | transaction RunID | bin _time span=1d | stats sum(duration) by _time host | sort- _time </CODE></PRE> <P>If above query does not work then try <CODE>sourcetype=ProcessStart OR sourcetype=ProcessEnd | transaction RunID</CODE> and see if you get any output. If you are getting output then the above query must work. </P> Fri, 12 Jan 2018 12:31:25 GMT https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303944#M91408 mayurr98 2018-01-12T12:31:25Z https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303945#M91409 <P>Thanks @mayurr98</P> <P>It worked. Understood that the Table command in between caused the issue <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 12 Jan 2018 13:29:20 GMT https://community.splunk.com/t5/Splunk-Search/Display-day-wise-results-for-a-stats-count/m-p/303945#M91409 maria2691 2018-01-12T13:29:20Z