Splunk Search

How to get event count hourly the last 7 days graph each day need to display different line ?

kumar22
New Member

one particular system event count hourly the last 7 days graph each day need to display different line

X - axis -- 0 - 24 hours

Y Axis - event count

Also is it possiable to trigger alert if any deviation

0 Karma
1 Solution

philipmattocks
Path Finder

Hi,

For the first part, you can use the timewrap function, see https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

Something like:

index=your_index earliest=-7d@d latest=@d 
| timechart span=1h count 
| timewrap 1d

Let me know if that helps.

Philip

View solution in original post

somesoni2
Revered Legend

Try like this

your base search
| eval Day=strftime(_time,"%Y-%m-%d") | eval Hour=strftime(_time,"%H:00")
| chart count over Hour by Day
0 Karma

philipmattocks
Path Finder

Hi,

For the first part, you can use the timewrap function, see https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Timewrap

Something like:

index=your_index earliest=-7d@d latest=@d 
| timechart span=1h count 
| timewrap 1d

Let me know if that helps.

Philip

kumar22
New Member

Thank you, Philip,

It's working fine. I have some more doubt in the graph.

  1. In the graph sheet, we are getting 7 separate graphs with individual y-Axis. Is it possible to have consolidated graph for a week?
  2. Is it possible to customize field name - "NULL_6days_ago" as "6days_ago" ?
0 Karma

niketn
Legend

What do you mean by consolidated graph for a week? In you question you had asked for last 7 days graph with different lines.

For second query, you can try the following.

| rename "NULL_*" as *

For finding deviations you would need to add more historic data and possibly use Machine Learning Toolkit for finding suitable algorithm for outlier.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

philipmattocks
Path Finder
  1. Do you have the multi-series mode enabled in your visualisation? If so, when you disable it, the graphs should be combined onto a single y-axis. The same goes for if you have trellis mode enabled.
  2. I'm not sure if you can change what these fields are called...what is the query you're using?

Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...