Archive

How can I produce results with a span of 1 day

New Member

Hi,

I am joining several source files in splunk to degenerate some total count. One thing to note is I am using ctcSalt= to reindex all my source file to day, as only very few files will be chnaged when compared to other and i need to reindex all the files as per my usecase.

Here I start using | stats count | timechart span=1d count(field) at the end of of the string and it does not provide any results, i also tries xyseries still no results.

How do i span the results for each day?

Tags (1)
0 Karma
1 Solution

Champion

timechart requires a _time field. For example, the daily count is:

(your search)|timechart span=1d count

View solution in original post

0 Karma

Champion

timechart requires a _time field. For example, the daily count is:

(your search)|timechart span=1d count

View solution in original post

0 Karma

New Member

Hello,

I am able to generate the single day count by adding (my search)| stats count, but if use (my search) |timechart span=1d count or (my search) | stats count |timechart span=1d count, I am not gettting any results and provided time range is all time.

0 Karma

Champion

(my search)| stats count
(my search) |timechart span=1d count
The top moves but the bottom doesn't move, you can only think of deleting ”_time”. Please provide a complete search statement.

(my search) | stats count |timechart span=1d count,
→This doesn't work

0 Karma

New Member

Hello

below is my actual quiry

0 Karma

Champion
 |table TestCaseName,SysReqID,TestCaseID,Verdict,CurrentTestcaseResultURL

You can't use "timechart" here because "_time" is gone.

Also, due to "dedup", there will be only the latest one for each "CurrentTestcaseResultURL".

0 Karma

New Member

Thanks for your reply. And Yes, we use dedup to fecth only the latest url for each day. Thats why we re-index the data every day. is there any other way to get the historical trend for this search on daily basis?

0 Karma

Champion

For example, how about setting the "target date" so that it is always included in DEDUP, JOIN, and STATS?

|eval target_date=strftime(_time,"%Y-%m-%d")

EX.
index="usa_*_test"・・・
・・・|join type=inner DNGProjectAreaID,target_date
・・・|dedup LinkStartID,target_date
・・・|stats count by target_date

・・・・・・・

0 Karma

New Member

Thanks for the update, I managed to come up with a solution by scheduling the report to generate a csv and append the same everyday to reach by visualization destination. I will also try out your opinion. Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!