Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data visualization over the day (by hours)

sweiland
Path Finder
‎08-24-2020 12:26 AM

Hi there,

I know it sound pretty easy, but I am stuck with a dashboard which splits the events by hours of the day, to see for example the amount of events on every hours (from 00h to 23h)

My request is like that:

index=_internal | convert timeformat="%H" ctime(_time) AS Hour | stats count by Hour | sort Hour | rename count as "SENT"

Only problem with the request is that I am missing zero entries in the histogram, and I wanted to have always the 24 hours displayed (even with zero results).

Any way to do this ?

Hope it will help others

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-24-2020 01:07 AM

Hi @sweiland ,

The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.

In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:

index=_internal 
| timechart span=1h count
| eval Hour = strftime(_time,"%H") 
| chart sum(count) as count by Hour

 
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2020 12:39 AM

Hi @sweiland,

did you explored the timechart command (https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Timechart)?

You could try something like this:

 

index=_internal 
| timechart span=1h count AS "SENT"

 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-24-2020 12:58 AM

Idea is to have the timespan 1h but only for one day

Example:

Data from 1 complete month, but splitted for every hour (the timechart is not a "group by hours")

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2020 01:09 AM

Hi @sweiland,

if you want the span of 1 hour for the full month, timechart span=1h is correct

if instead you want two  different spans,it isn't possible in one panel.

you could have two panels: one for the last day (with span=1h) and one for the full month (span=1d),

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎08-24-2020 01:07 AM

Hi @sweiland ,

The timechart as recommended by @gcusello helps to create a row for each hour of the day. It will add a row even if there are no values for an hour.

In addition, this will split/sumup by Hour, does not matter how many days the search timeframe is:

index=_internal 
| timechart span=1h count
| eval Hour = strftime(_time,"%H") 
| chart sum(count) as count by Hour

 
Hope it helps,
BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-24-2020 01:37 AM

Works indeed perfectly, thanks to both of you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...