Dashboards & Visualizations

Help in time filter and sorting


Hi All,

Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving.

Query am using is below. Also the search is for last 30 days.


| eval Time=strftime(_time,"%b-%d")
| sort - Time
| stats  count by USER Time 
| xyseries  Time USER count 
| fillnull value=0


Output, I am getting is:

1-Jun 132
2-Jun 260
3-Jun 153
4-Jun 72
5-Jun 147
6-Jun 228
7-Jun 122
8-Jun 195
9-Jun 210
10-Jun 114
11-Jun 148
12-Jun 168
13-Jun 119
14-Jun 299
15-Jun 58
16-May 159
17-May 215
18-May 195
19-May 305
20-May 220
21-May 219
22-May 160
23-May 198
24-May 73
25-May 126
26-May 308
27-May 271
28-May 109
29-May 124
30-May 144
31-May 103

My graph looks like:

line graph.JPG

I am unable to sort it in monthly order, I tried a different way- but I am not getting June after May.

Any other graph way this looks better also pls suggest.

Please help me with this.

Labels (1)
0 Karma

Ultra Champion
| timechart span=1d by USER
| rename _time as Time
| eval Time=strftime(Time,"%b-%d")

how about this?



| tstats count where index=_audit by _time span=1d
| eval time=strftime(_time,"%b-%d")
| table time count
| head 30


You can use timechart

1) count all requests

| timechart span=1d count


2) if you want to unique count user

| timechart span=1d dc(user) as user


Tags (1)
0 Karma


Hi  @jerinvarghese ,

Add this at the very end and it should sort correct.  


| eval sort_time=strptime(Time,"%b-%d")
| sort 0 sort_time
| fields - sort_time


edit: you should remove your first sort, based on "Time". 


Karma and/or Solution tagging appreciated.
0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...