Solved: How to get event count hourly the last 7 days grap...

kumar22 · ‎01-29-2018

one particular system event count hourly the last 7 days graph each day need to display different line

X - axis -- 0 - 24 hours

Y Axis - event count

Also is it possiable to trigger alert if any deviation

philipmattocks · ‎01-29-2018

Hi,

Something like:

index=your_index earliest=-7d@d latest=@d 
| timechart span=1h count 
| timewrap 1d

Let me know if that helps.

Philip

somesoni2 · ‎01-29-2018

Try like this

your base search
| eval Day=strftime(_time,"%Y-%m-%d") | eval Hour=strftime(_time,"%H:00")
| chart count over Hour by Day

philipmattocks · ‎01-29-2018

Hi,

Something like:

index=your_index earliest=-7d@d latest=@d 
| timechart span=1h count 
| timewrap 1d

Let me know if that helps.

Philip

kumar22 · ‎01-30-2018

Thank you, Philip,

It's working fine. I have some more doubt in the graph.

In the graph sheet, we are getting 7 separate graphs with individual y-Axis. Is it possible to have consolidated graph for a week?
Is it possible to customize field name - "NULL_6days_ago" as "6days_ago" ?

niketn · ‎01-30-2018

What do you mean by consolidated graph for a week? In you question you had asked for last 7 days graph with different lines.

For second query, you can try the following.

| rename "NULL_*" as *

For finding deviations you would need to add more historic data and possibly use Machine Learning Toolkit for finding suitable algorithm for outlier.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

philipmattocks · ‎01-30-2018

Do you have the multi-series mode enabled in your visualisation? If so, when you disable it, the graphs should be combined onto a single y-axis. The same goes for if you have trellis mode enabled.
I'm not sure if you can change what these fields are called...what is the query you're using?

Thanks

How to get event count hourly the last 7 days graph each day need to display different line ?