How to get a serial number for chart in Splunk?
S_no
1
2
3
4
** in a chart ** ?
Thanks in advance
if you add this to the end of your SPL, is it what you're looking for:
...|chart count by hour,wday|rex field=hour "(?<s_no>\d\.)"|rex mode=sed field=hour "s/\d\.//g"
hi , you just need to use | Fields A,B,C in the order your need them to appear
if you add this to the end of your SPL, is it what you're looking for:
...|chart count by hour,wday|rex field=hour "(?<s_no>\d\.)"|rex mode=sed field=hour "s/\d\.//g"
Thank you ,but serial number is getting populated in last coloumn
hi , you just need to use | Fields A,B,C in the order your need them to appear
| Fields s_no, field1,field2 etc etc..
am getting values in a stack mode ..needed like a chart
sorry not clear , you are getting a stacked chart? can you share a bit more with images what you desire and what you are getting?
you are looking for row count probably. try this -
| streamstats count as "S_no"
serial number of each row in separate coloum
Thank you but i need it in a separate coloum from my other output values
Especially in a query written for a CHART only
can you be more specific? is there other data you're using in conjunction with this? more details will help the community give a more helpful answer
Yeah , Actually in a eval statement i have specified numbers for each string so that i'll get in that sequence of numbers but now i need serial number in the same sequence by removing numbers assigned to string in eval statment
|eval hour=case(hour>0 AND hour<=6,"Midnight to 6AM",hour>6 AND hour<=8,"2. 6AM to 8AM",hour>8 AND hour<=10,"3. 8AM to 10AM",hour>10 AND hour<=12,"4. 10AM to 12PM",hour>12 AND hour<=14,"5. 12PM to 2PM",hour>14 AND hour<=16,"2PM to 4PM",hour>16 AND hour<=18,"4PM to 6PM",hour>18 AND hour<=20,"8. 6PM to 8PM",hour>20 AND hour<=24,"9. 8PM to Midnight")
|chart sum(count) by hour,wday