Dashboards & Visualizations

How to create a bar chart for dashboard displaying count on 1st of every month for past year?

rk1165
Loves-to-Learn Lots

I want to create a bar plot which displays the total number of events on the 1st of every month for the last 12 months. I can't query data for the last 12 months because search timeouts in 5 minutes as we have billions of events.

Is there a way we can do this using timechart or other mechanism?

Thanks

Labels (2)
0 Karma

smurf
Communicator

If you are looking only for the total number of events, you could use tstats. Searching through metadata tends to be quite fast, but could still time-out.

Another possibility would be using summaries. You could schedule a search to run every day/week/month to run for the specific period and have the visualization search run on the summary data.

You can find more about summary indexing here: Use summary indexing for increased search efficiency - Splunk Documentation

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try using metasearch if all you want is counts based on a restricted set of fields

metasearch - Splunk Documentation

You could also restrict your time period to the first of every month

index ... (earliest=-12mon@d latest=-12mon@d+1d) OR (earliest=-11mon@d latest=-11mon@d+1d) OR ...

 You could create summary index entries for each month and query those.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...