- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Not getting by day results for a timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm banging my head against the wall. Here's my search:
host="atlassian-stash*" sourcetype=atlassian source="/opt/atlassian/stash-data/log/atlassian-stash-access*.log" | timechart dc(stash_users) span=1d AS "Unique Stash Users"
stash_users is an extracted field. Pretty clear from search results that it's working correctly.
When I run the above, I get 8 results (as though it thinks it's giving me by day results) the only days with values are 2/18 and 2/11. As though it's counting unique stash_users by week.
I have this precise format working with a different extracted field on a different file. Hence the head banging.
Help appreciated.
Karla
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's it! The problem is my field extraction. It was based on a filename. The entries for the others days came from log files with a different named format.
Thanks for the ideas!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's it! The problem is my field extraction. It was based on a filename. The entries for the others days came from log files with a different named format.
Thanks for the ideas!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There has to be a problem with the way I've extracted the field. It's too simple for it to be anything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No change in behavior. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just for sanity,
change the order of your timechart to avoid having the span between the function and the "AS"
| timechart span=1d dc(stash_users) AS "Unique Stash Users"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do u get by host="atlassian-stash"
sourcetype=atlassian source="/opt/atlassian/stash-data/log/atlassian-stash-access.log"|bucket _time span=1d| stats dc(stash_users) by _time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't fix it. Here's my query now:
host="atlassian-stash*" sourcetype=atlassian source="/opt/atlassian/stash-data/log/atlassian-stash-access*.log" | timechart span=1d dc(stash_users) AS "Unique Stash Users"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good, @di2esysadmin please accept the answer to mark it as resolved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is it 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get if you just make a |bucket _time span=1d| stats dc(stash_users) by _time instead of timechart?
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
