Help in time filter and sorting

jerinvarghese · ‎06-15-2020

Hi All,

Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving.

Query am using is below. Also the search is for last 30 days.

index=itsm 
| eval Time=strftime(_time,"%b-%d")
| sort - Time
| stats  count by USER Time 
| xyseries  Time USER count 
| fillnull value=0

Output, I am getting is:

My graph looks like:

I am unable to sort it in monthly order, I tried a different way- but I am not getting June after May.

Any other graph way this looks better also pls suggest.

Please help me with this.

to4kawa · ‎06-15-2020

index=itsm 
| timechart span=1d by USER
| rename _time as Time
| eval Time=strftime(Time,"%b-%d")

how about this?

sample:

| tstats count where index=_audit by _time span=1d
| eval time=strftime(_time,"%b-%d")
| table time count
| head 30

direkp · ‎06-15-2020

You can use timechart

1) count all requests

index=itsm
| timechart span=1d count

2) if you want to unique count user

index=itsm
| timechart span=1d dc(user) as user

rnowitzki · ‎06-15-2020

Add this at the very end and it should sort correct.

| eval sort_time=strptime(Time,"%b-%d")
| sort 0 sort_time
| fields - sort_time

edit: you should remove your first sort, based on "Time".

--
Karma and/or Solution tagging appreciated.