Hello everyone,
I'm pretty new to Splunk and mostly learning as I go, so please bear with me if this is a common question or an easy answer as I'm still figuring out alot of things 🙂 I'm building a specific search string that will seperate 1 field of information, with 5 different unique field names, counting them, and mapping this data to build a trending chart. Our data is pulled in on a daily basis. My search query works so far (although it's probably not optimized), and I'm now moving forward into the formatting stage. What I want is to ensure my chart can work off of our main dashboard that has a time picker, so that we can see the trending of our data from day, month, year, etc. My query is working, but what I'm encountering is that in the chart the data will load in on a daily mapping no matter what filter is set. This is fine on a weekly, or daily filter, but when I want to view this with larger sets of data such as monthly or yearly, this comes out a bit messy. Is it possible to tweak the search string so that when the data is viewed with a monthly filter, it will give the the values from the month and put the highest amount on the chart instead of every day of the month? If not, I think the other solution may just be to make a separate chart for a monthly view. That's fine too, but just thought I would ask! Thank you in advance and screenshot is below showing what I see when changing to a "monthly" view along with a snippet of the search string.
| stats count(eval(severity=="Low")) AS Low by _time
| chart values(Low) over _time
... View more