Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dashboard single value sentence including time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm currently working on a dashboard in Splunk that I am trying to take a count value and include it in a sentence to make it more presentable. As of now, I am able to get a count of events and then create a variable that works great:
eval today=count." "."messages processed today."
I have this dashboard panel set to refresh every hour, so ideally I would like the text to say "xxx messages processed today as of (time most recent search completed)". I've tried creating variables to do this or using by using stats, but any time I include the time in my "today" variable it causes no results to show up. Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")| eval today=count+" "+"messages processed"+time+"."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your query?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this:
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")| eval today=count+" "+"messages processed"+time+"."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried that, but anytime I do my table that used to display the text string returns nothing. Am I doing something in the wrong order?
source="mylog.log" | eval time=strftime(_time,"%I:%M %p") | stats count | eval count=tostring(count, "commas") | eval today=count." "."messages processed today as of"." ".time | table today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need time in your stats command
| eval time=strftime(_time,"%I:%M %p") | stats count max(time) as time| eval count=tostring(count, "commas") | eval today=count." "."messages processed today as of"." ".time| table today
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I made a slight tweak and it is working perfectly now!
source="mylog.log" | eval time=strftime(_time,"%I:%M %p") | stats count latest(time) as time | eval count=tostring(count, "commas") | eval today=count." "."messages processed as of"." ".time | table today
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
