Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Results displayed by day

sweiland
Path Finder
‎08-21-2020 12:54 AM

Hi there,

I have a dashboard which splits the results by day of the week, to see for example the amount of events by Days (Monday, Tuesday, ...)

My request is like that:

myrequest | convert timeformat="%A" ctime(_time) AS Day | chart count by Day | rename count as "SENT" | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) | sort sort_field | fields - sort_field, wd

 

Only problem with the request is that sometimes a day or two could be missing in the histogram (0 entries), and I wanted to have always the 7 days displayed (even with 0 results).

Any way to do this ? Any help appreciated! (like a left join in SQL)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 09:50 AM

It looks like my query is producing the zeros you wanted, but has more than one entry for each day.  I think we can correct that with stats.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| stats sum(count) as count by Day
| rename count as "SENT" 
| eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 08:19 AM

This works for me.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| rename count as "SENT" | eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-21-2020 08:42 AM

Hmmm nope, here is my first attempt (with my query, I miss the Sunday = 0 event), and also comparison with your query (below)

SplunkTest.pngMaybe I need then a group by ?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2020 09:50 AM

It looks like my query is producing the zeros you wanted, but has more than one entry for each day.  I think we can correct that with stats.

index=_internal 
| timechart span=1d count 
| convert timeformat="%A" ctime(_time) AS Day 
| stats sum(count) as count by Day
| rename count as "SENT" 
| eval wd=lower(Day) 
| eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="saturday",6 ,wd=="sunday",7) 
| sort sort_field 
| fields - sort_field, wd 
| table Day SENT
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-21-2020 01:42 PM

Thanks, it works almost flawlessly ! 🙂

Just a problem when I put "Since start of week", Saturday is missing.. dont know why..

sweiland_0-1598042307460.png

I would have thought that I should miss Saturday & Sunday (because I put start of week and both days are not in the request at all)

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2020 09:30 AM

"Start of week" is Sunday. Saturday was tomorrow so timechart thinks you only care about Sun-Fri. Try using latest=+1w@w.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sweiland
Path Finder
‎08-22-2020 10:21 AM

Maybe I just find a way to limit the timepicker to 7 days range minimum (but did not find how), or I just do not display the panel if the range is less than 7 days

Both case I do not know how to do, but will try to find 🙂 (2nd optionis better, to hide the panel if range too short)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...