Solved: Re: How to create a table to show events for the p...

aaroncherian · ‎07-02-2020

I am trying to create a table something like this that will fetch the data for all the events for the past 7 days. I want this to be ran any time and it would update the dates dynamically at the top. I want it to look something like this:

Host	Sourcetype	6/1	6/2	6/3	6/4	6/5	6/6	6/7
" "	" "	Count	Count	Count	Count	Count	Count	count

Here is my search so far:

index=" " | bucket span=1d _time | eval dayOfDate=strftime(_time,"%Y/%m/%d")  | stats count by host, sourcetype, dayOfDate | table host sourcetype dayOfDate count | rename count as "Number of events"

The dates show vertically and I wanted it to show up as column headers for the last 7 days that updates dynamically whenever I run this search.

to4kawa · ‎07-02-2020

View solution in original post

to4kawa · ‎07-02-2020

aaroncherian · ‎07-04-2020

Thanks for that @to4kawa !!

But is it possible to have two different columns for hosts and sourcetype instead of just them being combined into one column with a "::" in the middle? (Exact same format as my example output)

to4kawa · ‎07-04-2020

add
| rex field=hosts "(?<host>.*?)::(?<sourcetype>.*)"
| fields - hosts
| table host sourcetype *

aaroncherian · ‎07-04-2020

EDIT: Worked perfectly! Thanks @to4kawa !!!!

How to create a table to show events for the past 7 days

count

field extraction

stats

table

timechart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!