- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Showing daily data for specific month
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Showing daily data for specific month
Hi all,
I am trying to present data for a specific month and breaking it down by the day.
Using my splunk search, I am able to perform the following:
Evaluate the value based on 2 fields
| field1 | field2 | VALUE |
| X1 | X1-A | 10 |
| X1 | X1-B | 20 |
| X2 | X2-A | 30 |
| X2 | X2-B | 10 |
| X3 | X3-A | 50 |
| X3 | X3-B | 30 |
Sum the values based on field 1
| field1 | VALUE |
| X1 | 30 |
| X2 | 40 |
| X3 | 80 |
However, I can only present this data based on the time picker (i.e. specific day/month)
I have tried timechart but was not able to show any results
...
|stats latest(A) as A, earliest(A) as B by field2, field1
|eval C=A-B
|stats sum(D) as E by field1
|timechart span=1d values(D)
My goal is to present data by breaking it down into days of a month
e.g.
Set timepicker to specific month;
| field1 | 1st day of month | 2nd | 3rd | ..... | last day of month | total |
| X1 | 3 | 1 | 10 | ... | 10 | 30 |
| X2 | 10 | 20 | 5 | ... | 2 | 40 |
| X3 | 20 | 15 | 10 | ... | 20 | 80 |
| ... | ||||||
| Xn (~30) |
How can I present the data in this way (i.e a calender view by month)? Is there another method to do so without using the timepicker?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the query line by line and see if there are any problems
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've checked my query and it works fine - i.e I'm able to get the correct calculations after the splunk search.
However, I was still unable to present the data in the intended way using timechart. Are there alternative commands that may be useful for this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample:
| gentimes start=09/01/2020 end=09/30/2020
| eval _time=starttime
| eval fieldname=split("ABCD","")
| mvexpand fieldname
| eval count=random() % 13
| timechart sum(count) span=1d by fieldname
| eval time=strftime(_time,"%F")
| fields - _*
| addcoltotals labelfield=time
| transpose 0 header_field=timeI don't have a log, so I can't make an actual query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi to4kawa,
Thanks for the reply.
However, I'm not to sure where my previous search fits here.
I've tried to fit in the earlier lines as best as I could but it still shows 'No results found'
I have a few times of calculation to evaluate readings (not counts) before presenting in the above mentioned manner.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not clear what the first part of your query is trying to do but try replacing
|stats sum(D) as E by field1
|timechart span=1d values(D)with
|timechart span=1d sum(D) as E by field1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ITWisperer,
I've tried it but it shows "No results found".
Instead, is there a way to set timepicker by day, and stitch it together with others days of the month to form a monthly report?
Thanks.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
