Hi kmaron,

base search earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w |search host=a OR host=b OR host=c OR host=d OR host=e the tail i added is not working can you hlep me .

Also second query please
Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept

your hosts, and any other filters, should be part of your base search

something like this:

index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w

The second query sounds identical to the first query. Just add your filter to the base search and change fieldname to fieldname2

query 2-It is having two fileds filedname 2 for event=AuthAccept

I don't understand. are you saying you want a count of two different fields for all of the hosts over time?

Query 1 it is only displaying per month not week .
query 2 i am having two fileds ie. filedname 2 needed for event=AuthAccept (here event= AuthAccept is other filed )

I still don't understand what you're asking for query 2. What are the two fields you want to trend on? you said event=AuthAccept is a filter Or are you now saying event is a field that you want to trend on?

no worries got it .Thanks

index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now event=AuthAccept | timechart count(fieldname2) by host span=1w

Hi Kmaron ,

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday
when I search count of 5 and 50 are coming in one column can i separate the 5 column and 50 separate c;columns in column chart .Any help .

Thanks,
Splunker969

Try this

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday, authlevel

Hi kmaron thanks a lot It works .

One more question -

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now | chart count over agentName by date_wday

Can you help me with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .

Thanks,
splunker969

date_wday only gives you the day of the week. What date are you saying you want as the legend?

Chart commands are basically three pieces. Your stats command which is your count, distinct count, etc. will build your Y axis. Your X axis will be your Over field and the BY field is your legend.

http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Chart

Hi kmaron ,

yes your correct! Iam looking week kamron Iam looking for monday ,tuesdya,wed,th,friday,saturday,sunday legend .

with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .
can you help me kmaron

sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now|stats dc(agentName) as count by date_wday

serached this one but right side unable to display legend- monday ,tuesdya,wed,th,friday,saturday,sunday legend .Any help?

Thanks kmaron 🙂