Hi All,
Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving.
Query am using is below. Also the search is for last 30 days.
index=itsm
| eval Time=strftime(_time,"%b-%d")
| sort - Time
| stats count by USER Time
| xyseries Time USER count
| fillnull value=0
Output, I am getting is:
Time | USER |
1-Jun | 132 |
2-Jun | 260 |
3-Jun | 153 |
4-Jun | 72 |
5-Jun | 147 |
6-Jun | 228 |
7-Jun | 122 |
8-Jun | 195 |
9-Jun | 210 |
10-Jun | 114 |
11-Jun | 148 |
12-Jun | 168 |
13-Jun | 119 |
14-Jun | 299 |
15-Jun | 58 |
16-May | 159 |
17-May | 215 |
18-May | 195 |
19-May | 305 |
20-May | 220 |
21-May | 219 |
22-May | 160 |
23-May | 198 |
24-May | 73 |
25-May | 126 |
26-May | 308 |
27-May | 271 |
28-May | 109 |
29-May | 124 |
30-May | 144 |
31-May | 103 |
My graph looks like:
I am unable to sort it in monthly order, I tried a different way- but I am not getting June after May.
Any other graph way this looks better also pls suggest.
Please help me with this.
index=itsm
| timechart span=1d by USER
| rename _time as Time
| eval Time=strftime(Time,"%b-%d")
how about this?
sample:
| tstats count where index=_audit by _time span=1d
| eval time=strftime(_time,"%b-%d")
| table time count
| head 30
You can use timechart
1) count all requests
index=itsm
| timechart span=1d count
2) if you want to unique count user
index=itsm
| timechart span=1d dc(user) as user
Hi @jerinvarghese ,
Add this at the very end and it should sort correct.
| eval sort_time=strptime(Time,"%b-%d")
| sort 0 sort_time
| fields - sort_time
edit: you should remove your first sort, based on "Time".