Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month?

Atchyuth_P
Path Finder
‎10-04-2022 07:35 AM

Hi,

 

| tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d
| eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q")
| eval Latest=strftime(Latest,"%Y-%m-%dT%H:%M:%S.%Q")
| appendcols
[tstats count where index=_internal by _time]

I would like to generate the dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month

As per the above query i am getting result like this

Is there any other alternative for this please suggest?

Atchyuth_P_0-1664894021253.png

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-04-2022 10:07 AM

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-04-2022 10:07 AM

Try something like this:

 

| tstats earliest(_time) AS earliest_epoch latest(_time) AS latest_epoch count AS event_count WHERE (index=_internal earliest=-1mon) BY index, sourcetype, host, _time span=1d
| eval earliest_time=strftime(earliest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| eval latest_time=strftime(latest_epoch,"%Y-%m-%dT%H:%M:%S.%Q")
| stats min(earliest_time) AS earliest_time max(latest_time) AS latest_time sum(event_count) AS total_events sparkline(sum(event_count)) AS event_count_sparkline BY index sourcetype host

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...