Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Over a week's timespan, how do I display how many restarts are happening per day on a host?

orchapellico
Explorer
‎11-21-2018 10:23 AM

I am getting a bunch of nulls in my results and I'm not sure why. I am trying to build a graph that will show over a business week how many times a server is restarted. Then display is by day and host, on which days with a proper count. 

host="" "Server startup" | chart count by host, date_wday

Is there a better way? I was trying to do it with the timechart command, but i'm running into problems there.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎11-21-2018 11:18 AM

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎11-21-2018 11:18 AM

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day
0 Karma
Reply
Solved! Jump to solution

orchapellico
Explorer
‎11-21-2018 12:17 PM

Thank you, this is exactly what I was looking for.

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-21-2018 11:08 AM 
host="" "Server startup" | chart count by host, date_wday usenull=false

However, If I were you, I would try to find another variable like "restart time" and use dc. also this may do it

...| timechart count by host span=1d usenull=false

Also this would do it:

host="" "Server startup" | bin _time span=1d| stats count by _time, host
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎11-21-2018 10:43 AM

Do your events have date_wday field. Looks like the events dont have this field that's why resulting into NULL.

0 Karma
Reply
Solved! Jump to solution

orchapellico
Explorer
‎11-21-2018 10:57 AM

They are not all showing up at null, that is what is throwing me off. If there is another way to do this, I would like to know. Thank you for your thoughts.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...