Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Results displayed by day

sweiland
Path Finder
‎08-21-2020 12:54 AM

Hi there,

I have a dashboard which splits the results by day of the week, to see for example the amount of events by Days (Monday, Tuesday, ...)

My request is like that:

myrequest | convert timeformat="%A" ctime(_time) AS Day | chart count by Day | rename count as "SENT" | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) | sort sort_field | fields - sort_field, wd

 

Only problem with the request is that sometimes a day or two could be missing in the histogram (0 entries), and I wanted to have always the 7 days displayed (even with 0 results).

Any way to do this ? Any help appreciated! (like a left join in SQL)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 09:50 AM

It looks like my query is producing the zeros you wanted, but has more than one entry for each day.  I think we can correct that with stats.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| stats sum(count) as count by Day
| rename count as "SENT" 
| eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 08:19 AM

This works for me.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| rename count as "SENT" | eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-21-2020 08:42 AM

Hmmm nope, here is my first attempt (with my query, I miss the Sunday = 0 event), and also comparison with your query (below)

SplunkTest.pngMaybe I need then a group by ?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 09:50 AM

It looks like my query is producing the zeros you wanted, but has more than one entry for each day.  I think we can correct that with stats.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| stats sum(count) as count by Day
| rename count as "SENT" 
| eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-21-2020 01:42 PM

Thanks, it works almost flawlessly ! 🙂

Just a problem when I put "Since start of week", Saturday is missing.. dont know why..

sweiland_0-1598042307460.png

I would have thought that I should miss Saturday & Sunday (because I put start of week and both days are not in the request at all)

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2020 09:30 AM

"Start of week" is Sunday. Saturday was tomorrow so timechart thinks you only care about Sun-Fri. Try using latest=+1w@w.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-22-2020 10:21 AM

Maybe I just find a way to limit the timepicker to 7 days range minimum (but did not find how), or I just do not display the panel if the range is less than 7 days

Both case I do not know how to do, but will try to find 🙂 (2nd optionis better, to hide the panel if range too short)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...