The following query will display a simple chart for trend comparison. This works well if you keep the days you're comparing =< 4 days. The Query: index="my_index" | search src="all_sources" | bin _time as Time | eval Day=strftime(Time,"%m-%d") | eval Hour=strftime(Time,"%H") | chart eval(round(avg(transfer_duration), 2)) as AvgXferDuration over Hour by Day The above query will produce the following graph. (as long as its =< 4 days) Now, if you increase the days to > 4 days. For example, if you want to see a week's trend (7 days). You will get the following graph. Notice the graph lines become scattered points in the center. (not sure why this happens) What is the proper way to display the graph for multiple days? e.g. > 4 days, 7 days, etc. ... View more

Has any one else experienced this error while configuring this app? I click on Setup->Websites and receive this error XML Syntax Error: Cannot find object mapper for panel type: title ... View more

I built a dashboard using Sideview Utils postprocess searching, works fine in one environment but when I copy over the XML to a separate environment where I copied over the Sideview Utils framework (same version as working env.) The dashboard does not render any results. At first, I thought of the obvious which was permission issues, but that didnt appear to be the problem. Or is it? The environment where I manually installed Sideview Utils does not have internet connection to Splunk because of network classification. Can that be an issue? ... View more

I have a search that breaks down what files were accessed, how much data was retrieved and how many total requests for one particular field. Example search query below: index="my_index" source="access_log" directory="/my_app/" | chart count(status_code) AS Requests, sum(file_size) AS TotalData, values(path_to_file) AS FileRequested BY directory The above query produces something like: directory Requests TotalData FileRequested my_app 10 345677 html/index.html images/happy_face.png dynamic/more_happy.py While this is fine if you only care about the TOTAL number for the entire directory, I would like to break it down so that I can display the number of requests and total data for each of the files requested listed by the directory. The directory should only be displayed once like the example above. Any suggestions? I've tried a couple of different ways but I cant get the directory to only display once and the rest of the rows populated with relevant data per file requested. ... View more

I have a dashboard which displays saved searches with historical data (past days) and its a little confusing to see that every time I click on a dashboard the Refresh indicator displays "1s ago", when really the data is from yesterday for example. Has anyone played with this option within the advanced XML of the dashboard? Maybe its an obscure module. I played around with the refresh option of the <view> tag, but no go. Any input is appreciated. ... View more

I've read most (if not all) of the questions/answers related to getting an average count of hits per hour. I've experimented with some of the queries posted by fellow splunkers and for the most part they've worked when using small queries (i.e. charting the two fields Total Count and Average Count . However, I've concocted a somewhat lengthy search query that doesn't seem to work correctly when trying to find the Average Request Per Hour (AvgReqPerHour) column. Let me show you what I have here. ... | timechart span=1h count(status_code) AS Events, count(eval(status_code>=200 AND status_code<=206)) AS SuccessfulRequests, count(eval(status_code>=300 AND status_code<=307)) AS RedirectedRequests, count(eval(status_code>=400 AND status_code <=505)) AS FailedRequests, dc(user_agent) AS TotalUsers, sum(file_size) AS TotalData, avg(file_size) AS AvgDataPerHour, avg(Events) AS AvgReqPerHour, avg(seconds) AS AvgResponseTimeSec So, this search should display some useful columns for finding web related stats. It counts all status codes and gives the number of requests by column and gives me averages for data transferred per hour and requests per hour. I hope someone else has done something similar and knows how to properly get the average requests per hour. ... View more