Hi,
we have hosts a,b,c,d,e,f hosts
looking for visualizations ?
1)Trend count of all "filedname " per week for last 3 months?
2)Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept
Both the above have filters applied on the 6 servers listed above
please help ?
Thanks,
Splunker969
1)Trend count of all "filedname " per week for last 3 months?
base search earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w
then visualize as a trellis split by host if you want individual graphs per host.
The second one sounds the same as the first. Just add your filter to the base search.
1)Trend count of all "filedname " per week for last 3 months?
base search earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w
then visualize as a trellis split by host if you want individual graphs per host.
The second one sounds the same as the first. Just add your filter to the base search.
Hi kmaron,
base search earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w |search host=a OR host=b OR host=c OR host=d OR host=e the tail i added is not working can you hlep me .
Also second query please
Trend of "filedname 2" 5 or 50 on a weekly basis with filters applied on event=AuthAccept
your hosts, and any other filters, should be part of your base search
something like this:
index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now | timechart count(fieldname) by host span=1w
The second query sounds identical to the first query. Just add your filter to the base search and change fieldname to fieldname2
query 2-It is having two fileds filedname 2 for event=AuthAccept
I don't understand. are you saying you want a count of two different fields for all of the hosts over time?
Query 1 it is only displaying per month not week .
query 2 i am having two fileds ie. filedname 2 needed for event=AuthAccept (here event= AuthAccept is other filed )
I still don't understand what you're asking for query 2. What are the two fields you want to trend on? you said event=AuthAccept is a filter Or are you now saying event is a field that you want to trend on?
no worries got it .Thanks
index=yourindex sourcetype=yoursourcetype (host=a OR host=b OR host=c OR host=d OR host=e) earliest=-3month@month latest=now event=AuthAccept | timechart count(fieldname2) by host span=1w
Hi Kmaron ,
sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday
when I search count of 5 and 50 are coming in one column can i separate the 5 column and 50 separate c;columns in column chart .Any help .
Thanks,
Splunker969
Try this
sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f") event=AuthAccept (authlevel=5 OR authlevel=50)
earliest=-1month@month latest=now | chart count(authlevel) by date_wday, authlevel
Hi kmaron thanks a lot It works .
One more question -
sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now | chart count over agentName by date_wday
Can you help me with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .
Thanks,
splunker969
date_wday only gives you the day of the week. What date are you saying you want as the legend?
Chart commands are basically three pieces. Your stats command which is your count, distinct count, etc. will build your Y axis. Your X axis will be your Over field and the BY field is your legend.
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Chart
Hi kmaron ,
yes your correct! Iam looking week kamron Iam looking for monday ,tuesdya,wed,th,friday,saturday,sunday legend .
with distinct count of agentName on y axis and date_wday on x-axis and dates from date_wday legends on right .
can you help me kmaron
sourcetype=* ( host="a" OR host="bOR host="c" OR host="d" OR host="e" OR host="f")
earliest=-1month@month latest=now|stats dc(agentName) as count by date_wday
serached this one but right side unable to display legend- monday ,tuesdya,wed,th,friday,saturday,sunday legend .Any help?
Thanks kmaron 🙂