Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month?

Atchyuth_P
Path Finder
‎10-04-2022 07:35 AM

Hi,

 

| tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d
| eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q")
| eval Latest=strftime(Latest,"%Y-%m-%dT%H:%M:%S.%Q")
| appendcols
[tstats count where index=_internal by _time]

I would like to generate the dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month

As per the above query i am getting result like this

Is there any other alternative for this please suggest?

Atchyuth_P_0-1664894021253.png

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-04-2022 10:07 AM

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-04-2022 10:07 AM

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...