Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart question

bgill0123
Loves-to-Learn
‎04-06-2018 07:38 AM

I am currently running this search:

index=events host=hig1* or host=hig2* | timechart span-1d dc(host)

the search works and I get the results I need however is there a way to list out all hosts and still get the count?

thanks

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎04-06-2018 08:41 AM

1) OR should be capitalized. 2) span=1d

I don't see how it would work, visually, to show a count and also the names in a single viz panel. Seems like you might want a line chart or bar chart for the dc, and then have a different viz for the names. Like, for instance, build a popup using JS so that when you hover over a particular day, it gets the list of unique names for that day.

0 Karma
Reply

mayurr98
Super Champion
‎04-06-2018 07:45 AM

Try this

index=events host=hig1* OR host=hig2* | timechart span=1d dc(host) values(host)

let me know if this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...