Solved: Re: How do I display the date in my report with t...

pradeepk50 · ‎03-12-2020

I am trying get the max count for the yesterday's but along with this i need to display the date in the report for yesterdays date?
Kindly help me to get the date in the results along with the existing results.

Query: sourcetype="x" name = "any" | bin _time span=1s | stats count by logtime | stats max(count)

Output for the above query is :
max(count)
34

Thanks In Advance

richgalloway · ‎03-12-2020

The stats command filters out all fields except those explicitly named in the command so _time is not available. Depending on the time window of your search, this may fill your needs.

sourcetype="x" name = "any" | bin _time span=1s | stats count by logtime 
| stats max(count) as MaxCount 
| eval Date = strftime(now(), "%F")
| table Date MaxCount

---
If this reply helps you, Karma would be appreciated.

View solution in original post

manjunathmeti · ‎03-12-2020

Try this,

sourcetype="x" name = "any" | bin _time span=1s | stats count by logtime | eventstats max(count) as count | eval date=strftime(now()-86400, "%d-%m-%Y")

pradeepk50 · ‎03-12-2020

by this i am getting count for that interval. Actually i am looking for complete day Max count with the date incorporated in that.

manjunathmeti · ‎03-12-2020

what are logtime values?

pradeepk50 · ‎03-12-2020

Its like

logtime
for todays date and time --> the count will get displayed.

Like below
logtime count
2020-03-11 19:38:42 34
2020-03-11 17:30:53 29
2020-03-11 19:17:02 29
2020-03-11 17:17:36 28

manjunathmeti · ‎03-12-2020

ok, you can use stats in place of eventstats. And you wrote need to display the date in the report for yesterdays date. Replace now()-86400 with now() if you don't want yesterdays date.

sourcetype="x" name = "any" | bin _time span=1s | stats count by logtime | stats max(count) as max_count | eval date=strftime(now()-86400, "%d-%m-%Y") | table date, max_count

pradeepk50 · ‎03-12-2020

Yeah, this is working as expected.

richgalloway · ‎03-12-2020

The stats command filters out all fields except those explicitly named in the command so _time is not available. Depending on the time window of your search, this may fill your needs.

sourcetype="x" name = "any" | bin _time span=1s | stats count by logtime 
| stats max(count) as MaxCount 
| eval Date = strftime(now(), "%F")
| table Date MaxCount

---
If this reply helps you, Karma would be appreciated.

pradeepk50 · ‎03-12-2020

Perfect 🙂

so to get the date field this is the syntax " | eval Date = strftime(now(), "%F")" right ?

richgalloway · ‎03-12-2020

Right. That will get you the current date as a string. Modify the second argument to strftime if you want the date in a different format.

---
If this reply helps you, Karma would be appreciated.

pradeepk50 · ‎03-12-2020

By the above query i am getting the date filed in the results but its getting today's date, but the report is running for yesterday's data. So we need to display yesterday's date.

How do I display the date in my report with the the data ?

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

Are you a member of the Splunk Community?

How do I display the date in my report with the the data ?

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know