Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

graph details

DTERM
Contributor
‎08-22-2011 01:43 PM

index=MyApp earliest=-30d@d-14h | where (date_hour>=10 AND date_hour<22) | bucket _time span=1d | stats count by _time | sort - _time | append [ search index=MyApp earliest=-30d@d-2h | where(date_hour<10 or date_hour>=22) | eval _time=if(date_hour<10, _time-86400, _time) | bucket _time span=1d | stats count by _time | sort - _time]

I'm using the query above to generate a graph of the number of tickets for two different support staff shifts. One shift is from 10:00 AM through 10:00 PM. The other shift is from 10:00 PM to 10:00 AM. Ultimately, I want two line graphs of the number of tickets each staff gets (to compare against each other).

The graph however is not helpful. Is there a way that I can provide different colors for the lines? Also, the legend has a single entry - "Count". Is there a way to modify or change the legend? Finally, there appears to be a third line (I'm guessing an average??) that appears as well. I don't want that.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fk319
Builder
‎08-23-2011 06:14 AM

First, when you do a 'stats' you can use the as option, 'stats count as "DayShift" by _time'.


I am thinking that I would redo your query a bit.

index=MyApp earliest=-30d@d-14h | eval Shift=if(10<=date_hour and date_hour<22,"Day","Night") | timechart span=1d count by Shift

View solution in original post

Reply
Solved! Jump to solution
Solution

fk319
Builder
‎08-23-2011 06:14 AM

First, when you do a 'stats' you can use the as option, 'stats count as "DayShift" by _time'.


I am thinking that I would redo your query a bit.

index=MyApp earliest=-30d@d-14h | eval Shift=if(10<=date_hour and date_hour<22,"Day","Night") | timechart span=1d count by Shift
Reply
Solved! Jump to solution

DTERM
Contributor
‎08-23-2011 10:05 AM

That is perfect. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...