I'm newbie with Splunk, and i try to show each value by date with columns, but i have always the "count" value.
First, i wanted to show all File Name existing on my search, with :
host="sample" Executed="Yes" Username="user" "File Name"="*" | top limit=20 "File Name" |
The results was 5 lines and three columns "File Name", "Count" and "Percent", that are default columns. Each File was executed 3 times at different periods of time, so i wanted to show all with the column graph, but after tries, it didn't. I tried to follow This example to understand time on Splunk and adapted it like this :
host="sample" Executed="Yes" Username="user" "File Name"="*" | top limit=20 "File Name" | eval weekDay = strftime(_time,"%a") | eval HourOfDay = strftime(_time,"%H") | table _time, weekDay, HourOfDay
The result was best, but i don't know how to show the "File Name" column on the table. I missed something, can you help me ?
Have you tried this ?
... | table _time weekDay HourOfDay "File Name"