Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with streamstats search -- need to display _time on x-axis.

lyndac
Contributor
‎09-05-2017 02:13 PM

I have a requirement to display the count of data received over the last 7 days. I need to show the total with a data point every 15 minutes and the count should reset (start over at 0) at midnight. (The graph looks like a saw tooth, growing til midnight then a line down to 0 and starting to grow again). The search I have is working great. I just need to somehow display the time (mm/dd hh:mm) on the x-axis.

This is my search:

index=foo | timechart span=15m count as count | addtotals fieldname=count | eval time=strftime(_time,"%H:%M") | streamstats sum(count) as totalCount  reset_after="("match(time,\"23:45\")")" |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")

This generates the correct data points, but there are no labels on the x-axis where I'd like the _time to display. Currently the user must hover over a datapoint to see what date they are looking at.
Any ideas?

0 Karma
Reply

somesoni2
Revered Legend
‎09-05-2017 02:22 PM

Give this a try

index=foo | timechart span=15m count  | eval day=relative_time(_time,"@d") | streamstats sum(count) as totalCount  by day |table _time, totalCount | eval _time=strftime(_time, "%m/%d %H:%M")
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...