Hi there,
I know it sound pretty easy, but I am stuck with a dashboard which splits the events by hours of the day, to see for example the amount of events on every hours (from 00h to 23h)
My request is like that:
index=_internal | convert timeformat="%H" ctime(_time) AS Hour | stats count by Hour | sort Hour | rename count as "SENT"
Only problem with the request is that I am missing zero entries in the histogram, and I wanted to have always the 24 hours displayed (even with zero results).
Any way to do this ?
Hope it will help others
Hi @sweiland ,
The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.
In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:
index=_internal
| timechart span=1h count
| eval Hour = strftime(_time,"%H")
| chart sum(count) as count by Hour
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Hi @sweiland,
did you explored the timechart command (https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Timechart)?
You could try something like this:
index=_internal
| timechart span=1h count AS "SENT"
Ciao.
Giuseppe
Idea is to have the timespan 1h but only for one day
Example:
Data from 1 complete month, but splitted for every hour (the timechart is not a "group by hours")
Hi @sweiland,
if you want the span of 1 hour for the full month, timechart span=1h is correct
if instead you want two different spans,it isn't possible in one panel.
you could have two panels: one for the last day (with span=1h) and one for the full month (span=1d),
Ciao.
Giuseppe
Hi @sweiland ,
The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.
In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:
index=_internal
| timechart span=1h count
| eval Hour = strftime(_time,"%H")
| chart sum(count) as count by Hour
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Works indeed perfectly, thanks to both of you