Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data visualization over the day (by hours)

sweiland
Path Finder
‎08-24-2020 12:26 AM

Hi there,

I know it sound pretty easy, but I am stuck with a dashboard which splits the events by hours of the day, to see for example the amount of events on every hours (from 00h to 23h)

My request is like that:

index=_internal | convert timeformat="%H" ctime(_time) AS Hour | stats count by Hour | sort Hour | rename count as "SENT"

Only problem with the request is that I am missing zero entries in the histogram, and I wanted to have always the 24 hours displayed (even with zero results).

Any way to do this ?

Hope it will help others

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-24-2020 01:07 AM

Hi @sweiland ,

The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.

In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:

index=_internal 
| timechart span=1h count
| eval Hour = strftime(_time,"%H") 
| chart sum(count) as count by Hour

 
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2020 12:39 AM

Hi @sweiland,

did you explored the timechart command (https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Timechart)?

You could try something like this:

 

index=_internal 
| timechart span=1h count AS "SENT"

 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-24-2020 12:58 AM

Idea is to have the timespan 1h but only for one day

Example:

Data from 1 complete month, but splitted for every hour (the timechart is not a "group by hours")

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2020 01:09 AM

Hi @sweiland,

if you want the span of 1 hour for the full month, timechart span=1h is correct

if instead you want two  different spans,it isn't possible in one panel.

you could have two panels: one for the last day (with span=1h) and one for the full month (span=1d),

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-24-2020 01:07 AM

Hi @sweiland ,

The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.

In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:

index=_internal 
| timechart span=1h count
| eval Hour = strftime(_time,"%H") 
| chart sum(count) as count by Hour

 
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-24-2020 01:37 AM

Works indeed perfectly, thanks to both of you

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...