Solved: Help me with search query for my usecase

sravankaripe · ‎03-30-2017

i want to list out the success count by time
Example:

index="ABC" sourcetype="XYZ" responsecode="200"|

Time count

last 1hour(1:00am) 20
other 1hour(2:00am) 10

please help me with sample query

kiran331 · ‎03-30-2017

index="ABC" sourcetype="XYZ" responsecode="200"|timechart span=1h count

gcusello · ‎03-30-2017

Hi sravankaripe,
you can use timechart command to count the number of events in every hour:

index="ABC" sourcetype="XYZ" responsecode="200"
| timechart count span=1h

In addition, you can also compare count of each hour with the corresponding hour of e.g. last week using timewrap command (see http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Timewrap):

index="ABC" sourcetype="XYZ" responsecode="200"
| timechart count span=1h
| timewrap 1week

Bye.
Giuseppe

woodcock · ‎03-30-2017

Like this:

index="ABC" sourcetype="XYZ" | bin _time span=1h | stats count(eval(responsecode="200")) AS success count BY _time

kiran331 · ‎03-30-2017

index="ABC" sourcetype="XYZ" responsecode="200"|timechart span=1h count

3no · ‎03-30-2017

Hi

index="ABC" sourcetype="XYZ" responsecode="200"| timechart span=1h count

3no.

adonio · ‎03-30-2017

is that what you are looking for?
.... | timechart span=1h count