Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I take an hourly count of one field value for all available hosts?

zeespl
Explorer
‎10-02-2018 07:24 AM

I want to create a dashboard for below.

There are two fields: "clientip" and "hosts".

I want to calculate the number of connections made by each IP in an hour for all available hosts. This data I need is for 12 hours.

I tried the below query, but it doesn't work..

..| chart dc(clientip) over date_hour by hosts usenull=f

@niketnilay : Could you please advise?

Tags (2)
0 Karma
Reply

davidcruz
Explorer
‎10-04-2018 07:37 AM

Have you tried

..| timechart dc(clientip) span=1h by hosts usenull=f
0 Karma
Reply

niketn
Legend
‎10-02-2018 08:36 AM

@zeespl , could you please explain what is not working? Your current query should give unique clientips that logs event per hour for each host?

By any chance are you interested in count() and not dc()?

 <yourBaseSearch> earliest=-12h latest=now
| chart count(clientip) by date_hour hosts usenull=f useother=f limit=0

Or else if you are actually interested in only login event, hope you are filtering the events for the same in your base search.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

zeespl
Explorer
‎10-02-2018 08:46 AM

@niketnilay, I want to create a column chart at an hour interval.

There should be columns for each host and columns to be multicolored(differnet color for each unique IP) based on count of IPs and height of column to be equal to total count.

X-axis : hosts
Y-axis : count
this should be spread across 12 hours.

0 Karma
Reply

zeespl
Explorer
‎10-04-2018 07:28 AM

@niketnilay,

X-axis having 12 hours.

For each hour there should be columns corresponding to each host.

Every column should be stacked up with count of different IPs.

I hope i am clear now.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-04-2018 08:39 AM

Have you tried just doing a plain | timechart span=1h dc(clientip) by hosts or something like that?

date_hour is a field that represents the hour value as splunk read it from the raw event. Not the best to use in searches really as it is not normalized.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...