Hi, I'm trying to get the system with the most number of logs (usage) for every hour. I did a search for
`eventtype="centralizedlog" | bin span=1h _time | eval date_string=strftime(_time,"%d/%m/%y %H:%M:00") | stats count as count by date_string, System_ID |eventstats max(count) as maxcount by date_string | where maxcount==count`
which otuputs me a table with as shown below.
**time Highest Usage maxcount
23/4/2016 0900 system1 10000
23/4/2016 1000 system2 20000
.... .....**
However, I hope to get a chart of count over time whereby each bar is maximum count during the 1hr window and each bar has different colors, depending on the type of system. (Currently, all the bars in the chart are the same color, i dont know what is the corresponding system)
I'm quite new to Splunk Enterprise. Any help will be greatly appreciated.
Thank you!
↧