Solved: Dashboard timechart

prasant · ‎12-07-2023

How to display timechart for specific time period for specific business days.

Eg: index="someindex" |dedup eventid| timechart count(_raw) by eventName span=60m for monday,tuesday, wednesday, thursday, friday during 6pm - 8pm. Or for specific dates .How can achieve this?

thanks in advance

bowesmana · ‎12-07-2023

You can do this if you have the date_wday field in your data

index="someindex" date_wday IN ("monday","tuesday","wednesday","thursday","friday") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m

If you don't have those fields you can do

index="someindex" 
| eval date_wday=strftime(_time, "%a")
| eval date_hour=strftime(_time, "%H")
| search date_wday IN ("mon","tue","wed","thu","fri") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m

View solution in original post

prasant · ‎12-13-2023

thanks, it helped .

bowesmana · ‎12-07-2023

You can do this if you have the date_wday field in your data

index="someindex" date_wday IN ("monday","tuesday","wednesday","thursday","friday") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m

If you don't have those fields you can do

index="someindex" 
| eval date_wday=strftime(_time, "%a")
| eval date_hour=strftime(_time, "%H")
| search date_wday IN ("mon","tue","wed","thu","fri") date_hour>=18 date_hour<20
| dedup eventid
| timechart count(_raw) by eventName span=60m

Dashboard timechart

chart

timechart

Message Parsing in SOCK

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

Use ‘em or lose ‘em | Splunk training units do expire