I am trying to present data for a specific month and breaking it down by the day.
Using my splunk search, I am able to perform the following:
Evaluate the value based on 2 fields
Sum the values based on field 1
However, I can only present this data based on the time picker (i.e. specific day/month)
I have tried timechart but was not able to show any results
... |stats latest(A) as A, earliest(A) as B by field2, field1 |eval C=A-B |stats sum(D) as E by field1 |timechart span=1d values(D)
My goal is to present data by breaking it down into days of a month
Set timepicker to specific month;
|field1||1st day of month||2nd||3rd||.....||last day of month||total|
How can I present the data in this way (i.e a calender view by month)? Is there another method to do so without using the timepicker?
I've checked my query and it works fine - i.e I'm able to get the correct calculations after the splunk search.
However, I was still unable to present the data in the intended way using timechart. Are there alternative commands that may be useful for this?
| gentimes start=09/01/2020 end=09/30/2020 | eval _time=starttime | eval fieldname=split("ABCD","") | mvexpand fieldname | eval count=random() % 13 | timechart sum(count) span=1d by fieldname | eval time=strftime(_time,"%F") | fields - _* | addcoltotals labelfield=time | transpose 0 header_field=time
I don't have a log, so I can't make an actual query.
Thanks for the reply.
However, I'm not to sure where my previous search fits here.
I've tried to fit in the earlier lines as best as I could but it still shows 'No results found'
I have a few times of calculation to evaluate readings (not counts) before presenting in the above mentioned manner.
I've tried it but it shows "No results found".
Instead, is there a way to set timepicker by day, and stitch it together with others days of the month to form a monthly report?