Solved: How to create a table with time showing in the hor...

myli12 · ‎10-18-2011

I tried the following:

host=A earliest=10/01/2011:0:0:0 latest=10/01/2011:11:0:0 | timechart span=1h count by msg

Where "msg" is a customerized field. It did output the contents I wanted. But I would like the output table to have the time in the horizontal direction, and the "msg" values (many) in the vertical direction rather than the other way around in the current output. How could I achieve that?

The 2nd questions: Can I only show those "msg"s whose counts are more than 10 over the entire span (from earliest to latest)?

Ayn · ‎10-18-2011

Easiest way to switch the direction of the table is to use transpose. Just throw "| transpose" at the end of your search. However this might not give you exactly the result you want as the time will be output as epoch values, and will not be in the headers.

Another way is to skip timechart and use the regular chart command instead, and have it chart over a time field that has been discretized in some way. For instance you can use bucket (which is what timechart does automatically for you) and create a field that contains the time in a format that is somewhat easier on the eyes than staring at an epoch value. This will give you the same kind of results as using timechart with a span of 1 hour.

... | bucket span=1h _time | eval formatted_time=strftime(_time, "%c") | chart count over msg by formatted_time

Or you could use one of the time fields that are likely already in your log events, such as date_hour.

... | chart count over msg by date_hour

The only caveat with both of these examples is that if you're going to chart over several days you will need to take that into account, for instance by concatenating the date_mday value with date_hour, or using another strftime format string.

As for your 2nd question, yes, you can filter the chart to get only times with at least a certain number but it's somewhat more complex when splitting the stats by fields rather than using just one. Have a look at this answer which describes this in more detail: http://splunk-base.splunk.com/answers/12577/filter-a-chart

View solution in original post

Ayn · ‎10-18-2011

Easiest way to switch the direction of the table is to use transpose. Just throw "| transpose" at the end of your search. However this might not give you exactly the result you want as the time will be output as epoch values, and will not be in the headers.

Another way is to skip timechart and use the regular chart command instead, and have it chart over a time field that has been discretized in some way. For instance you can use bucket (which is what timechart does automatically for you) and create a field that contains the time in a format that is somewhat easier on the eyes than staring at an epoch value. This will give you the same kind of results as using timechart with a span of 1 hour.

... | bucket span=1h _time | eval formatted_time=strftime(_time, "%c") | chart count over msg by formatted_time

Or you could use one of the time fields that are likely already in your log events, such as date_hour.

... | chart count over msg by date_hour

The only caveat with both of these examples is that if you're going to chart over several days you will need to take that into account, for instance by concatenating the date_mday value with date_hour, or using another strftime format string.

As for your 2nd question, yes, you can filter the chart to get only times with at least a certain number but it's somewhat more complex when splitting the stats by fields rather than using just one. Have a look at this answer which describes this in more detail: http://splunk-base.splunk.com/answers/12577/filter-a-chart

How to create a table with time showing in the horizontal direction

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?