Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a column chart By time Today/Yesterday/LastWeekDay by specific Field value?

sukansingh
Explorer
‎02-08-2023 06:41 AM

I want to see the 500 error count for each Customers over time (Today/Yesterday/LastWeekOfDay) So total 3 days.

Below screenshot is Kibana Chart. How can we create same kind of chart in Splunk?

sukansingh_0-1675866432264.png

I have tried below timechart query but x axis have time first instead of customerId.

index="services" statusCode="500" | timechart span=1d count by customerId

I have also tried with below Query But I feel Count in response in not correct.

index="services" statusCode="500" | bucket _time span=day | chart count by customerId,_time | head 10

Is there a better way to do it?

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2023 12:02 AM

If it is always the last / latest column, you could try something like this

| sort 0
    [| makeresults
    | addinfo 
    | eval search=strftime(info_max_time-1, "%F")
    | fields search
    | format "" "" "" "" "" ""]

View solution in original post

Reply
Solved! Jump to solution

sukansingh
Explorer
‎02-09-2023 10:39 AM

Thanks @ITWhisperer , This Query is working for me. Now I'm facing a challenge to sort by specific column let say 3rd column.

index="services" statusCode="500" | bucket _time span=day | eval time=strftime(_time,"%F") | chart count by customerId

sukansingh_0-1675967738296.png

Since these date fields are dynamically getting generated and user can specify any date range So I can not specify | sort -"2023-02-09" .

In this case how to sort by any specific column which is dynamically generated by bucket _time span?

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2023 11:35 AM

The user can select the "up arrow" or "down arrow" next to the column name to sort the results by that column.

0 Karma
Reply
Solved! Jump to solution

sukansingh
Explorer
‎02-12-2023 10:12 PM

@ITWhisperer , I want to do the sorting through Query as we need to use this chart in Dashboard.

I wonder if Splunk even have this feature.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-13-2023 12:02 AM

If it is always the last / latest column, you could try something like this

| sort 0
    [| makeresults
    | addinfo 
    | eval search=strftime(info_max_time-1, "%F")
    | fields search
    | format "" "" "" "" "" ""]
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:24 AM

Your chart should work only _time will be in seconds, so I suggest you create a field with time formatted and use that field as the second dimension on the chart.

index="services" statusCode="500" 
| bucket _time span=day 
| eval time=strftime(_time,"%F")
| chart count by customerId, time
| head 10
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...