Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help in time filter and sorting

jerinvarghese
Communicator
‎06-15-2020 02:42 AM

Hi All,

Need a best solution in plotting a graph. for daily based alerting/ticketing am receiving.

Query am using is below. Also the search is for last 30 days.

 

index=itsm 
| eval Time=strftime(_time,"%b-%d")
| sort - Time
| stats  count by USER Time 
| xyseries  Time USER count 
| fillnull value=0

 

Output, I am getting is:

Time USER
1-Jun 132
2-Jun 260
3-Jun 153
4-Jun 72
5-Jun 147
6-Jun 228
7-Jun 122
8-Jun 195
9-Jun 210
10-Jun 114
11-Jun 148
12-Jun 168
13-Jun 119
14-Jun 299
15-Jun 58
16-May 159
17-May 215
18-May 195
19-May 305
20-May 220
21-May 219
22-May 160
23-May 198
24-May 73
25-May 126
26-May 308
27-May 271
28-May 109
29-May 124
30-May 144
31-May 103

My graph looks like:

line graph.JPG

I am unable to sort it in monthly order, I tried a different way- but I am not getting June after May.

Any other graph way this looks better also pls suggest.

Please help me with this.

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎06-15-2020 04:23 AM 
index=itsm 
| timechart span=1d by USER
| rename _time as Time
| eval Time=strftime(Time,"%b-%d")

how about this?

 

sample:

| tstats count where index=_audit by _time span=1d
| eval time=strftime(_time,"%b-%d")
| table time count
| head 30
Reply

direkp
Engager
‎06-15-2020 11:30 PM

You can use timechart

1) count all requests

index=itsm
| timechart span=1d count

 

2) if you want to unique count user

index=itsm
| timechart span=1d dc(user) as user

 

Tags (1)
0 Karma
Reply

rnowitzki
Builder
‎06-15-2020 04:22 AM

Hi  @jerinvarghese ,


Add this at the very end and it should sort correct.  

 

| eval sort_time=strptime(Time,"%b-%d")
| sort 0 sort_time
| fields - sort_time

 

edit: you should remove your first sort, based on "Time". 

 

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...