Splunk Search
Highlighted

Sort result by date and show it on Dashboard

Engager

Hi all,

I'm newbie with Splunk, and i try to show each value by date with columns, but i have always the "count" value.

First, i wanted to show all File Name existing on my search, with :

host="sample" Executed="Yes" Username="user" "File Name"="*"  | top limit=20 "File Name" | 

The results was 5 lines and three columns "File Name", "Count" and "Percent", that are default columns. Each File was executed 3 times at different periods of time, so i wanted to show all with the column graph, but after tries, it didn't. I tried to follow This example to understand time on Splunk and adapted it like this :

host="sample" Executed="Yes" Username="user" "File Name"="*"  | top limit=20 "File Name" |  eval weekDay = strftime(_time,"%a") | eval HourOfDay = strftime(_time,"%H") | table _time, weekDay, HourOfDay

The result was best, but i don't know how to show the "File Name" column on the table. I missed something, can you help me ?

Thank you.

0 Karma
Highlighted

Re: Sort result by date and show it on Dashboard

SplunkTrust
SplunkTrust

Have you tried this ?

... | table _time weekDay HourOfDay "File Name"
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: Sort result by date and show it on Dashboard

SplunkTrust
SplunkTrust

or ... | timechart count by "File Name" for that matter.

Highlighted

Re: Sort result by date and show it on Dashboard

Engager

Oh ok, that was so simple, i tried a more complex solution.

0 Karma