Tabular report showing count based on time range

chintan_shah · ‎09-07-2017

Hi,

I need to create report in format.
Could anyone help me in achieving this.
I can have time interval of 2 hours as well if cannot have in the format.

woodcock · ‎09-07-2017

If you just need count, this should be lightning fast:

| tstats count where index=_* BY date_wday date_hour 
| eval date_wday=case(date_wday="sunday"   , "      sunday",
                      date_wday="monday"   , "     monday",
                      date_wday="tuesday"  , "    tuesday",
                      date_wday="wednesday", "   wednesday",
                      date_wday="thursday" , "  thursday",
                      date_wday="friday"   , " friday",
                      true(), date_wday)
| chart first(count) OVER date_hour BY date_wday
| addtotals row=t col=t
| eval date_hour=if(date_hour>23, "TOTAL", date_hour)

niketn · ‎09-07-2017

@chintan_shah, please check out Punchcard Custom Visualization App (https://splunkbase.splunk.com/app/3129/), it will load some examples with date_hour and count, which would plot the data as per your need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jackson1990 · ‎09-07-2017

can you provide some input data? i mean with fields

chintan_shah · ‎09-07-2017

its just the count of events, my requirement is to show counts based on the time range.

Tabular report showing count based on time range

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?