Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Put the time a the top of a timechart

Alaza
Explorer
‎03-08-2018 07:46 AM

alt text

Hello,
How can I have a table like the picture with the time a the top, the type on the right side and a count by date on the row ?
With timechart It doesn't work :

index="Ico_number" Type_Group
| timechart count by Type_Group

Tags (3)
Preview file
15 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-08-2018 07:59 AM

Try this and adjust to your case

index=_internal 
| bucket _time span=1h 
| chart count by source, _time 
| addtotals

alt text

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-08-2018 08:00 AM

Hi Alaza,
only few additional information to better understand your needs:

  • What's "Type_Group" a field or a string to search?
  • why do you say that timechart isn't running? don't you receive events or do they aren't correctly organized?
  • did you used span?

From your picture I see that you haven't weekends, you can filter results putting date_wday!=sunday OR date_waday!=saturday in your main search.
In other words, try something like this

index="Ico_number" date_wday!=sunday OR date_waday!=saturday
| timechart span=1d count by Type_Group

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Alaza
Explorer
‎03-08-2018 08:09 AM

Type_Group is a field and I can't display the value like the picture, weekend or not.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-08-2018 09:19 AM

Ok this probably is the reason because your search doesn't run, if you put a field in a search you have to assign a value, something like this

index="Ico_number" Type_Group=*

otherwise Splunk interpretes "Type_Group" as a string to search.
So try something like this
index="Ico_number" Type_Group=*
| timechart span=1d count by Type_Group
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Alaza
Explorer
‎03-09-2018 12:42 AM

Thanks for your help, it works now.

0 Karma
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-08-2018 07:59 AM

Try this and adjust to your case

index=_internal 
| bucket _time span=1h 
| chart count by source, _time 
| addtotals

alt text

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...