Hi all,
I am trying to present data for a specific month and breaking it down by the day.
Using my splunk search, I am able to perform the following:
Evaluate the value based on 2 fields
field1 | field2 | VALUE |
X1 | X1-A | 10 |
X1 | X1-B | 20 |
X2 | X2-A | 30 |
X2 | X2-B | 10 |
X3 | X3-A | 50 |
X3 | X3-B | 30 |
Sum the values based on field 1
field1 | VALUE |
X1 | 30 |
X2 | 40 |
X3 | 80 |
However, I can only present this data based on the time picker (i.e. specific day/month)
I have tried timechart but was not able to show any results
...
|stats latest(A) as A, earliest(A) as B by field2, field1
|eval C=A-B
|stats sum(D) as E by field1
|timechart span=1d values(D)
My goal is to present data by breaking it down into days of a month
e.g.
Set timepicker to specific month;
field1 | 1st day of month | 2nd | 3rd | ..... | last day of month | total |
X1 | 3 | 1 | 10 | ... | 10 | 30 |
X2 | 10 | 20 | 5 | ... | 2 | 40 |
X3 | 20 | 15 | 10 | ... | 20 | 80 |
... | ||||||
Xn (~30) |
How can I present the data in this way (i.e a calender view by month)? Is there another method to do so without using the timepicker?
Thanks.
Check the query line by line and see if there are any problems
Hi,
I've checked my query and it works fine - i.e I'm able to get the correct calculations after the splunk search.
However, I was still unable to present the data in the intended way using timechart. Are there alternative commands that may be useful for this?
Thanks.
sample:
| gentimes start=09/01/2020 end=09/30/2020
| eval _time=starttime
| eval fieldname=split("ABCD","")
| mvexpand fieldname
| eval count=random() % 13
| timechart sum(count) span=1d by fieldname
| eval time=strftime(_time,"%F")
| fields - _*
| addcoltotals labelfield=time
| transpose 0 header_field=time
I don't have a log, so I can't make an actual query.
Hi to4kawa,
Thanks for the reply.
However, I'm not to sure where my previous search fits here.
I've tried to fit in the earlier lines as best as I could but it still shows 'No results found'
I have a few times of calculation to evaluate readings (not counts) before presenting in the above mentioned manner.
Thanks.
Not clear what the first part of your query is trying to do but try replacing
|stats sum(D) as E by field1
|timechart span=1d values(D)
with
|timechart span=1d sum(D) as E by field1
Hi ITWisperer,
I've tried it but it shows "No results found".
Instead, is there a way to set timepicker by day, and stitch it together with others days of the month to form a monthly report?
Thanks.