Splunk Dev

splunk visualization separate lines per day in a line graph

mmdacutanan
Explorer

I have a query that counts events from 30 days ago to current day but I filter the results so that I am only getting the count of events for the days in those 30 days that equals the current week day. So that if today is Wednesday, I would only see the count of events for all the Wednesdays in the last 30 days. Query is below:

index=abc sourcetype=abc_proxy(Action=InteractionQueued OR Action=InteractionDequeued) earliest=-30d@d latest=now()| timechart span=1d count| eval day_of_week = lower(strftime(_time, "%A")), now = lower(strftime(now(), "%A"))| where day_of_week = now|fields - day_of_week - now

Table is kind of big because I am doing hourly breakdowns but a portion of the output looks like this:

_time count
2018-07-11T00:00 7872
2018-07-11T01:00 5741
2018-07-11T02:00 6480
2018-07-11T03:00 10198
2018-07-11T04:00 11394
2018-07-11T05:00 17033
2018-07-11T06:00 17464
2018-07-11T07:00 21961
2018-07-11T08:00 28636
2018-07-11T09:00 27801
2018-07-11T10:00 28537
2018-07-11T11:00 27996
2018-07-11T12:00 24798
2018-07-11T13:00 27681
2018-07-11T14:00 25653
2018-07-11T15:00 32204
2018-07-11T16:00 32450
2018-07-11T17:00 23217
2018-07-11T18:00 23988
2018-07-11T19:00 22152
2018-07-11T20:00 19021
2018-07-11T21:00 19446

My problem now is with the visualization. Right now I get one continuous line for all the week days that match current weekday. I would like to have a line graph where each day is a separate line in the graph and where each line has an hourly granularity.

I wish I could attach images but I don't have enough points. BUt basically whatever the output is of the query, switch to visualization tab and select line graph.

Thanks in advance

Tags (1)
0 Karma

woodcock
Esteemed Legend

I agree. The timewrap command is great but if you are on an older release, you may need the (somewhat buggy) app:

https://splunkbase.splunk.com/app/1645/
0 Karma

DalJeanis
Legend

First, there is a timewrap visualization that may be exactly what you need, avoiding any of the tricks I'm going to give you. Try that first.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Timewrap


Here's a run-anywhere example of how you could do it if that didn't work for you...

index=_audit  
| fields _time date_wday 
| rename COMMENT as "Limit to the fields you need"

| rename COMMENT as "do a preliminary stats at the granularity level you need - here 1 hour"
| bin _time   span=1h 
| stats first(date_wday) as date_wday count as hourcount by _time

| rename COMMENT as "limit to the day you want.  Here we assume that you want the day of week of the last date"
| eventstats latest(date_wday) as last_wday
| where date_wday = last_wday
| fields - last_wday

| rename COMMENT as "calculate the date, the last date, and how many weeks back each date is"
| bin _time as day span=1d 
| eventstats max(day) as maxday
| eval weeksback=(maxday-day)/604800 

| rename COMMENT as "move the date forward an even number of weeks, to match the last date"
| eval _time = _time + weeksback*604800

| rename COMMENT as "pretty up the week names, and drop unneeded fields"
| eval weeksback=if(weeksback=0,"Current ".date_wday,weeksback." Weeks Back")
| fields - day maxday
| timechart span=1h sum(hourcount) by weeksback

| rename COMMENT as "get rid of any completely empty records at the beginning or end"
| addtotals row=t col=f
| where isnotnull(Total)
| fields - Total   
0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...