Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display trend for 3 months?

udaypulipaka
Observer
‎02-12-2019 12:23 AM

Hi,

How can i display last 3 months data monthly wise count as trend dashboard.To check whether monthly increasing or decreaing data.

index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment_group| streamstats current=f last(assignment_group) as lg, last(active) as Active by CaseNumber | eval ss=case(assignment!=lg AND assignment="Susta","Escalated",assignment="Susta" AND status="Complete" AND (isnull(Active) OR Active="true"),"Resolved") |timechart count by ss usenull=f

How can i display monthly wise count as trend in dashboard

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vinod94
Contributor
‎02-12-2019 10:01 PM

@udaypulipaka ,

Please accept the answer if it worked for you!.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vinod94
Contributor
‎02-12-2019 10:01 PM

@udaypulipaka ,

Please accept the answer if it worked for you!.

0 Karma
Reply
Solved! Jump to solution

vinod94
Contributor
‎02-12-2019 01:40 AM

Try this,

You can use span in timechart

https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchReference/Timechart

Your search |  timechart  span=3mon count by ss usenull=f
0 Karma
Reply
Solved! Jump to solution

udaypulipaka
Observer
‎02-12-2019 02:53 AM

index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber | eval is_escalated= if(assignment!=lg AND assignment="Susta",1,NULL)
|eval is_resolved=if(assignment_group="Susta" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)| chart count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by Component

For this query i need linechart.when i add timechart to this query it is showing all the components in below.It looks not gud.So can u help how to do trend for this query.

0 Karma
Reply
Solved! Jump to solution

vinod94
Contributor
‎02-12-2019 04:17 AM

can you try this,

your search |  bin span=3mon _time |stats count(ss) as count by _time
0 Karma
Reply
Solved! Jump to solution

udaypulipaka
Observer
‎02-12-2019 04:40 AM

timechart span=3mon count by ss usenull=f this is working fine.Thank u for your help

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...