Dashboards & Visualizations

Need a Dashboard To show past 3 days web hits by each site and total for each day. I need output like below.

a527572
New Member

Query using :
earliest=-3d@d latest=@d index=xyz host=l*xyz* source"xyz" | eval weekday=strftime(_time, "%b %d, %A ") | chart count(JVM) over JVM by weekday|sort weekday | join JVM [ search earliest=-3d@d latest=@d index=xyz host=l*xyz* source"xyz" | chart count(JVM) over JVM by host ]

with the Query I am using getting results like below.

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

The column merge (like excel) is not possible in Splunk. Give this workaround a try

earliest=-3d@d latest=@d index=xyz host=l*xyz* source"xyz" | eval weekday=strftime(_time, "%b %d, %A") | stats count(JVM) as count by JVM weekday host | appendpipe [| stats sum(count) as count by JVM weekday | eval host="Total"] | eval weekday=weekday.":".host
| chart sum(count) over JVM by weekday limit=0

View solution in original post

0 Karma

somesoni2
Revered Legend

The column merge (like excel) is not possible in Splunk. Give this workaround a try

earliest=-3d@d latest=@d index=xyz host=l*xyz* source"xyz" | eval weekday=strftime(_time, "%b %d, %A") | stats count(JVM) as count by JVM weekday host | appendpipe [| stats sum(count) as count by JVM weekday | eval host="Total"] | eval weekday=weekday.":".host
| chart sum(count) over JVM by weekday limit=0
0 Karma

a527572
New Member

Thanks for the reply... I am completely new to splunk. can you explain me how to build a dashboard for the following.
• To show 24 hrs web hits report by each Host + Total
• To show past 3 days web hits by each Host and total for each day
• To show past 7 days web hits for each JVM (total only). (Not Host specific).

0 Karma

somesoni2
Revered Legend

Give these a try

• To show 24 hrs web hits report by each Host + Total

index=xyz host=l*xyz* source"xyz" earliest=-24h | stats count by host | eventstats sum(count) as Total

• To show past 3 days web hits by each Host and total for each day

earliest=-3d@d latest=@d index=xyz host=l*xyz* source"xyz" | eval weekday=strftime(_time, "%b %d, %A") | chart count over host by weekday

• To show past 7 days web hits for each JVM (total only). (Not Host specific).

 earliest=-7d@d latest=@d index=xyz host=l*xyz* source"xyz" | eval weekday=strftime(_time, "%b %d, %A") | chart count over JVM by weekday
0 Karma

sundareshr
Legend

I think the closest you can come to that is as shown in this run anywhere sample. I am not aware of any way to merge cells they way you have it in your mock-up

index=_internal bytes=* earliest=-1d@d | eval wkday=strftime(_time, "%a") | eval sourcetype=wkday."#".sourcetype | chart min(bytes) as b over source by sourcetype
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...