Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Over a week's timespan, how do I display how many restarts are happening per day on a host?

orchapellico
Explorer
‎11-21-2018 10:23 AM

I am getting a bunch of nulls in my results and I'm not sure why. I am trying to build a graph that will show over a business week how many times a server is restarted. Then display is by day and host, on which days with a proper count. 

host="" "Server startup" | chart count by host, date_wday

Is there a better way? I was trying to do it with the timechart command, but i'm running into problems there.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎11-21-2018 11:18 AM

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎11-21-2018 11:18 AM

You can use below query-

 host="" "Server startup"| eval day=strftime(_time, "%A")| chart count by host day
0 Karma
Reply
Solved! Jump to solution

orchapellico
Explorer
‎11-21-2018 12:17 PM

Thank you, this is exactly what I was looking for.

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎11-21-2018 11:08 AM 
host="" "Server startup" | chart count by host, date_wday usenull=false

However, If I were you, I would try to find another variable like "restart time" and use dc. also this may do it

...| timechart count by host span=1d usenull=false

Also this would do it:

host="" "Server startup" | bin _time span=1d| stats count by _time, host
0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎11-21-2018 10:43 AM

Do your events have date_wday field. Looks like the events dont have this field that's why resulting into NULL.

0 Karma
Reply
Solved! Jump to solution

orchapellico
Explorer
‎11-21-2018 10:57 AM

They are not all showing up at null, that is what is throwing me off. If there is another way to do this, I would like to know. Thank you for your thoughts.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...