Splunk Dev

How to display search results by day

kaphie2002
New Member

Hello,

  I have a search that calculates the total number of a specific log event and displays results in the table format below:

col1 col2 col3 col4
23 25 26 27

How do I display the results by day? for example:

_time col1 col2 col3
2018-05-03 270 23 35
2018-05-04 814 33 25
Total xxxx 56 60

Thanks,

Tags (1)
0 Karma

woodcock
Esteemed Legend

Just add an appropriately placed | bin span=1d _time and then add _time to the BY clause of your stats command.

0 Karma

somesoni2
Revered Legend

You'd get a better answer if you could share your current search. Depending upon you current search (how you calculated values for those columns) you'd use timechart or bin-stats or bin-chart combination.

0 Karma

rgreer
Path Finder

The Timechart command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart?r=searchtip) or the bin command. Either of those commands would do what your looking for. I would start with the timechart command and expand from there.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...