All Apps and Add-ons

date_hour values are repeated twice on the trend graph

gopiven
Explorer

Hi Splunk Experts
As I m trying to show the trend for 7 days, I have involved the below eval expression to seperate the _time things (date_hour,date_minute,date_wday,date_mday,date_month,date_year).
Time Expression:
| eval Date=strftime(_time,"%Y-%m-%d") | rex field="Date" "^(?[^-]+)-(?[^-]+)-(?.+)"
| eval date_hour=strftime(_time,"%H")
| eval date_minute=strftime(_time,"%M") | eval date_wday=strftime(_time,"%w")

and I m using the below trend query to show 7 days trend.
stats dc(user_id) AS USERS by date_hour, date_wday, Platform | chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform

However I could see the date_hour from 0 to 9 is repeated twice in graph like showing as 0,00,1,01,2,02.....9,09 but both 0,00 is showing the same value.

Could You please suggest me how to eliminate this repeated values for the date_hour on the graph.
And for your reference I am using Summary Index concept and from that I am picking up the fields to draw the trend.

0 Karma

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-8d@"), relative_time(_time,"@h")) 
| makecontinuous span=1min _time 
| appendcols 
    [| makeresults count=10000
    | eval user_id ="User".(random() % 100 + 1) 
    | eval Platform=mvindex(split("Windows,Linux,Macosx",","),(random() % 3)) 
    | table user_id Platform]
    | where isnotnull(_time) 
| table _time user_id Platform 
| rename COMMENT as "this is sample. from here, your logic"
| eval Date=strftime(_time,"%Y-%m-%d") 
| rex field=Date "^(?<date_year>[^-]+)-(?<date_month>[^-]+)-(?<date_mday>.+)"
| eval date_hour=strftime(_time,"%H") 
| eval date_minute=strftime(_time,"%M") 
| eval date_wday=strftime(_time,"%w") 
| stats dc(user_id) AS USERS by date_hour, date_wday, Platform
| chart eval(round(avg(USERS),0)) AS "AVERAGE USERS LOGGED IN" over date_hour by Platform

Hi, @gopiven
date_hour is String value. so, "00" is normal.
Which field is "0"?

0 Karma

badrinath_itrs
Communicator

SPLUNK automatically extract date_hour, date_wday , date_minutes etc fields by default if your data is ingested correctly with event time. There is no need to extract these fields again.

Refer documentation for more details.

https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Usedefaultfields

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...