Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to report based on date

avikc100
Path Finder
‎01-02-2024 11:33 AM

I am getting the count of each interface, but I need it date wise

avikc100_0-1704223892584.png

as example below :

avikc100_1-1704223953548.png


please help to modify my query

Labels (2)
Labels
0 Karma
Reply

avikc100
Path Finder
‎01-04-2024 04:08 AM

@dtburrows3 

this query showing date &time haphazardly, how to sort it like 1/4/2024, 1/3/2024, 1/2/2024....

index="*" source="*" |eval
timestamp=strftime(_time, "%m/%d/%Y")
| chart limit=30
count as count
over DFOINTERFACE
by timestamp


avikc100_0-1704369551739.png

 




0 Karma
Reply

dtburrows3
Builder
‎01-02-2024 11:39 AM

Assuming that your events have proper timestamps extracted to the _time field you should be able to do this.

 

 

source="/apps/WebMethods/IntegrationServer/instances/default/logs/DFO.log"
    | timechart limit=30 span=1d 
        count as count 
            by DFOINTERFACE

 

 

0 Karma
Reply

avikc100
Path Finder
‎01-02-2024 01:09 PM

Hi @dtburrows3 

its giving different result. I just want in reverse direction
its giving me like this :

avikc100_0-1704229730075.png

but I want like this 

avikc100_1-1704229760573.png

 

0 Karma
Reply

dtburrows3
Builder
‎01-02-2024 01:13 PM

You can try this to get the report in that format.

Edit: Noticed that the chart method could mess up the order of dates from left to right so I think sorting first and then doing a transpose should fix it.

 

 

 

 

 

source="/apps/WebMethods/IntegrationServer/instances/default/logs/DFO.log"
    | timechart span=1d limit=30
        count as count
            by DFOINTERFACE
    | sort 0 +_time
    | eval
        timestamp=strftime(_time, "%m/%d/%Y")
    | fields + timestamp, *
    | fields - _*
    | transpose 30 header_field=timestamp
    | rename
        column as "DFOINTERFACE \ Date"

 

 

 

 

 

Example from my local instance.

dtburrows3_0-1704231166492.png

 

0 Karma
Reply

avikc100
Path Finder
‎01-02-2024 07:05 PM

thank you very much

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...