Splunk Search

How to get the count (Exceptions) for last 5 days in a single table?

Madhan45
Path Finder

This is my expected result:

Exceptions  Day1  Day2  Day3  Day4  Day5
Abc          5     4     3     1     0
Start        3     4     4     5     6       
xyz          3     2     5     0     0
Tags (3)
0 Karma
1 Solution

renjith_nair
Legend

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:

View solution in original post

renjith_nair
Legend

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:

Madhan45
Path Finder

It shows results only for first exception.!!

0 Karma

renjith_nair
Legend

Do you have other Exceptions in the events? Just try this to see how it works

    index=* earliest=-7d|chart count over sourcetype by _time span=1d
---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

Madhan45
Path Finder

great working fine. But now the problem is dates are in epoch format. How to convert that in to normal format?

0 Karma

Madhan45
Path Finder

Found Now it is working fine.
index=_internal sourcetype=* earliest=-7d | eval time=strftime(_time,"%m/%d/%y") |chart count over sourcetype by time span=1d

0 Karma

Madhan45
Path Finder

Thank you renjith

0 Karma

renjith_nair
Legend

You are welcome, Please mark as answer so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma

renjith_nair
Legend

Just convert time before chart ie

     index=* earliest=-7d|eval _time=strftime(_time,"%d-%m-%Y")|chart count over sourcetype by _time span=1d

You can use other variables instead of _time as well.

If you got the answer, just mark as answer so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma :slightly_smiling_face:
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...