Update

ankurtaunk · ‎06-10-2019

I want to write a search where the events are in one column and the related counts are in each column corresponding to the date, something like this :

         01/01/18        01/02/18        01/03/18         .......             01/29/18         01/30/18
userid1  3               5               30                                   8                41
userid2  5               88              10                                   7                8
userid3  45              78              7                                    8                2

badarsebard · ‎06-10-2019

Update

So with a high cardinality field where timechart won't work you can use a straight stats then xyseries.

index=data | stats count by user, date | xyseries user date count

Previous Answer

Take a look at timechart. It creates this exact set of data but transposed; the fields are in the columns and the times in the rows.

View solution in original post

Vijeta · ‎06-10-2019

@ankurtaunk
You can use chart command , try below-

<your search>| bin span=1d _time | eval date=strftime(_time,"%Y-%m-%d")| chart count over users by date

ankurtaunk · ‎06-10-2019

Not all the dates are coming . After 10 days, I see colum with "Others". IS this Splunk's limitation that after certain colum it shows others ?

I do not think, there is any issue qith query though. Can anyone please suggest ?

Vijeta · ‎06-10-2019

@ankurtaunk Yes by default limit for timechart and chart is 10 results. You can use limit=0 option with chart and try

<your search>| bin span=1d _time | eval date=strftime(_time,"%Y-%m-%d")| chart count over users by date limit=0

ankurtaunk · ‎06-11-2019

This works too. Thanks

niketn · ‎06-10-2019

@ankurtaunk try the following run anywhere example to see if it fits your needs

index=_internal sourcetype=splunkd log_level!=INFO earliest=-7d@d latest=now
| eval Time=strftime(_time,"%Y/%m/%d")
| chart count as Error by component Time

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

badarsebard · ‎06-10-2019

Update

So with a high cardinality field where timechart won't work you can use a straight stats then xyseries.

index=data | stats count by user, date | xyseries user date count

Previous Answer

Take a look at timechart. It creates this exact set of data but transposed; the fields are in the columns and the times in the rows.

ankurtaunk · ‎06-10-2019

The problem is - there are millions of userID and I do not want them in column. I am good if I have millions of rows than column.

badarsebard · ‎06-10-2019

In that case you'll need xyseries. I'll update answer with example.

ankurtaunk · ‎06-10-2019

Your query is working fine and giving all the column. Thanks a lot.

How to table events in columns with time/date related counts

Update

Previous Answer

Update

Previous Answer

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to table events in columns with time/date related counts

Update

Previous Answer

Update

Previous Answer

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0