Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tabular report showing count based on time range

chintan_shah
Path Finder
‎09-07-2017 10:36 AM

Hi,

I need to create report in alt text format.
Could anyone help me in achieving this.
I can have time interval of 2 hours as well if cannot have in the format.

Preview file
13 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎09-07-2017 09:32 PM

If you just need count, this should be lightning fast:

| tstats count where index=_* BY date_wday date_hour 
| eval date_wday=case(date_wday="sunday"   , "      sunday",
                      date_wday="monday"   , "     monday",
                      date_wday="tuesday"  , "    tuesday",
                      date_wday="wednesday", "   wednesday",
                      date_wday="thursday" , "  thursday",
                      date_wday="friday"   , " friday",
                      true(), date_wday)
| chart first(count) OVER date_hour BY date_wday
| addtotals row=t col=t
| eval date_hour=if(date_hour>23, "TOTAL", date_hour)
0 Karma
Reply

niketn
Legend
‎09-07-2017 11:01 AM

@chintan_shah, please check out Punchcard Custom Visualization App (https://splunkbase.splunk.com/app/3129/), it will load some examples with date_hour and count, which would plot the data as per your need.

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Preview file
44 KB
Reply

jackson1990
Path Finder
‎09-07-2017 10:39 AM

can you provide some input data? i mean with fields

0 Karma
Reply

chintan_shah
Path Finder
‎09-07-2017 10:41 AM

its just the count of events, my requirement is to show counts based on the time range.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...