Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

searches based on time range in a one graph

Khushboo
Explorer
‎01-07-2021 10:50 AM

Hi Team,

I have query like following :

index=something  earliest=-7d latest=now()
| stats count by page

where i need to calculate how many hits page is getting in last 1 hour, 4 hours, 24 hours and last weeks

how do i join these search to draw one line graph from it.

Labels (2)
Labels
0 Karma
Reply

Khushboo
Explorer
‎01-07-2021 08:07 PM

Sorry for the confusion.
Yes, I'm  looking for 1 hour values, then 4 and 24 hour running totals over the last week. 
i want count by page. Whenever i'm adding stats count by page with timecharts it returns no data.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 08:35 PM

Not sure what you mean by 'stats count by page with timecharts..'

Assuming you have a field 'page' then this timechart followed by the streamstats will give you all the relevant totals, but depending on how many pages you have, there will be a lot of data to visualise - with 4 values, each with significantly different scales that can only be represented on 2 y-axes.

your search
| timechart limit=0 span=1h count by page
| streamstats time_window=4h sum(*) as T_H04_*
| streamstats time_window=24h sum(*) as T_H24_*
| streamstats time_window=1w sum(*) as T_Wk_*
| fields _time T_*
| rename T_* as *

does that work?

 

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-07-2021 01:45 PM

It's not clear what your line graph is intended to show, just 4 values with 1,4,24 hours and 1 week totals?

Or are you looking for 1 hour values, then 4 and 24 hour running totals over the last week, e.g. like this

index=_internal 
| timechart span=1h count
| streamstats time_window=4h sum(count) as Hour4
| streamstats time_window=24h sum(count) as Hour24

but showing that as a line graph with 4 lines on isn't great on the same Y axis

You could do this to get the 4 values 

index=_internal earliest=-7d@d latest=@h
| timechart span=1h count
| streamstats time_window=4h sum(count) as Hour4
| streamstats time_window=24h sum(count) as Hour24
| streamstats time_window=1w sum(count) as Week
| reverse
| head 1
| eval Periods="Results"
| table Periods count Hour4 Hour24 Week

and show that as a column chart, or remove the 'Periods' value and show the results as single values in trellis mode.

 

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...