Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the count (Exceptions) for last 5 days in a single table?

Madhan45
Path Finder
‎01-12-2016 02:02 AM

This is my expected result:

Exceptions  Day1  Day2  Day3  Day4  Day5
Abc          5     4     3     1     0
Start        3     4     4     5     6       
xyz          3     2     5     0     0
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 02:07 AM

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 02:07 AM

Try this

your search |chart count over Exceptions by <day field>

or if you don't have a day field

        your search |chart span=1d count over Exceptions by _time
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎01-12-2016 02:15 AM

It shows results only for first exception.!!

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 02:21 AM

Do you have other Exceptions in the events? Just try this to see how it works 

    index=* earliest=-7d|chart count over sourcetype by _time span=1d
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎01-12-2016 02:29 AM

great working fine. But now the problem is dates are in epoch format. How to convert that in to normal format?

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎01-12-2016 02:43 AM

Found Now it is working fine.
index=_internal sourcetype=* earliest=-7d | eval time=strftime(_time,"%m/%d/%y") |chart count over sourcetype by time span=1d

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎01-12-2016 02:43 AM

Thank you renjith

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 02:48 AM

You are welcome, Please mark as answer so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 02:42 AM

Just convert time before chart ie 

     index=* earliest=-7d|eval _time=strftime(_time,"%d-%m-%Y")|chart count over sourcetype by _time span=1d

You can use other variables instead of _time as well.

If you got the answer, just mark as answer so that the thread will be closed

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...